Account Takeover / Credential Stuffing

Fraudsters Go for Olympics Gold Attacking Streaming Sites, but are Foiled by Arkose Labs

August, 13, 20213 min Read

Since the establishment of the Olympic Games in ancient Greece in 776 B.C., the event has been an occasion for athletes and competitors from around the world to test their skills against the very best. This year, while many of us marveled at the amazing feats in gymnastics, track & field, swimming, and more, some fraudsters were attacking streaming sites to show off their skills in the realm of credential stuffing. While they aimed for gold in this particular dark art, they were foiled by Arkose Labs. 

The Arkose Labs platform protects one of the most prominent and popular streaming media platforms, which also was one of the platforms that broadcast the Olympic games. During the games, Arkose Labs detected a much higher spike in traffic coming to the streaming platform than normal. Much of this, however, was not simply an increase in viewers coming to watch feats of athletic strength and speed, but fraudsters performing credential stuffing attacks. In fact, credential stuffing attacks spiked by 52% during the week of the opening ceremony, peaking during the closing ceremony. 

Credential stuffing is one of the major attacks that powers account takeover fraud. It is when fraudsters use automation to run millions of username and password combinations on accounts until they get a match. Years of data breaches have exposed these usernames and passwords, and large lists can be purchased on the Dark Web for relatively little. Some even post them for free on sites like Pastebin. 

Account takeover attacks are highly popular among fraudsters because of the numerous ways they can be monetized. They can drain money from an account or steal personal information and resell it to other criminals. They can use the compromised accounts to launder or move stolen money obtained from another crime. And there are many industry-specific paths to monetization as well.

In attacking streaming sites, fraudsters often seek to launch mass attacks at scale, since these accounts are not as lucrative as, say, financial accounts. This means fraudsters need volume to make money and gain access to as many accounts as possible to resell access to others. So if a person is paying $15/month for a streaming platform and their account gets hacked, the fraudster might sell access to that account to any number of people for a one-time fee of a few dollars each.

No Olympic Glory for Credential Stuffing

After the credential stuffing attacks were detected, the Arkose Labs platform put them to an almost immediate stop. 

Arkose Labs monitors all traffic for known signals of abuse, using behavioral fingerprints, velocity, and rate monitoring, and a proprietary user IP database. The solution embeds an Arkose Labs token into the web application or mobile SDK, and each request dynamically verifies that the token has passed from the client to the server. Furthermore, as a managed services client Arkose Labs proactively monitors all traffic for signs of attack patterns and works with the client to remediate them.

Known malicious bot traffic -- such as those that power credential stuffing -- are served with a dynamic enforcement challenge; these are designed against the grain of machine vision technology, meaning they cannot be solved by bots

After Arkose Labs detected these attacks, the credential stuffing attempts went down by more than 99% from nearly 6.5 million at their peak

This meant viewers could marvel at the spectacle of the Olympic games, without having to worry about their accounts being safe.