How Attackers Use APIs to Disguise Bots as Games Consoles

Attackers and bot authors are continually evolving their methods, shifting their focus beyond just websites.

With websites often having a reasonable level of protection, malicious actors are increasingly targeting less-protected areas, namely APIs, with their bots.

This blog post delves into the evolving threat landscape. We’ll focus on how attackers exploit APIs and IoT devices to launch attacks like credential stuffing, using streaming services as a prime example.

Bots Evolve to Bypass Defenses

Attackers have been diverting their attention from well-protected websites to APIs. This isn’t just limited to publicly available APIs but also extends to APIs that sit behind websites and apps. These typically have less protection, making them attractive targets for bots.

Attackers monitor and reverse-engineer how apps and websites interact with APIs to identify areas of weakness. As API communication is machine-to-machine, it’s easy to hide malicious automated requests within expected traffic between API endpoints.

How Bots Target Streaming via IoT Devices

36% of television is now watched via streaming apps, overtaking broadcast and cable TV in recent years. Streaming services maintain apps across all major TV-connected devices and services, from games consoles to smart TV operating systems.

The rise of attacks from web enabled or IoT (Internet of Things) devices is of particular concern to streaming services. These devices lack robust client-side bot defenses, making them vulnerable and attractive to attackers.

Mimicking Vulnerable Devices

An increasingly popular tactic used by attackers is mimicking the behavior of vulnerable devices. By observing how devices like Xbox consoles or set-top boxes interact with servers, typically via APIs, attackers can create strategies to bypass defenses.

Many IoT devices have very limited functionality and cannot deploy additional protective measures to their apps. Unlike websites where you can configure and deploy various client-side protections, these devices offer limited options. This creates a challenge for cybersecurity defenses and an opening for bot attacks like credential stuffing.

How Credential Stuffing Works via APIs

Credential stuffing is an automated attack that validates leaked username and password pairs on other web services. Bots can enter millions of credential pairs into login pages within minutes. Where a user has reused credentials exposed in a leak elsewhere, attackers can access their account on the targeted service.

Rather than using hundreds of real smart TVs and games consoles to test stolen credentials on their target service, attackers use automated bots to emulate API calls. They often use user agents associated with specific devices to fool defenses, so their login requests are validated.

Watch a credential stuffing attack in action and learn how they work in this webinar: Dissecting the Bots Threatening Streaming Services.

Limitations of Client-Based Security

It is crucial to wrap these devices in defensive layers that do not need to be deployed directly on the device. This layered defense approach can provide an additional shield, enhancing the security of the overall system.

Netacea’s Agentless Solution

Netacea has developed a robust solution to defend against these increasingly sophisticated attacks. Netacea’s system was designed to not rely on agents being deployed on the end-user device or client.

Instead, Netacea monitors the interaction between the device and the server, detecting malicious patterns of behavior within that activity.

This approach allows Netacea to defend any web-based property – whether a website, API, mobile app, legacy device, set-top box, or console – with the same high level of accuracy.

Case Study: Bots Disguised as Xbox Consoles in Credential Stuffing Attack

Netacea recently protected a large streaming service from credential stuffing bots during a massive peak in traffic.

With the biggest American Football game of the year streaming live, the organization’s security team anticipated high volumes of credential stuffing attempts masked within humans logging in to watch across various devices.

Netacea monitored all login attempts, using machine learning to distinguish human from bot. Upon analysis, our data team highlighted that over a million of the malicious login attempts blocked by our systems were emulated Xbox consoles trying to login via API endpoints.

Thankfully, and due to Netacea’s server-side deployment, we were able to detect and stop these attacks just the same as if they were via websites or other means.

Conclusion

As attackers continue to adapt and look for new vulnerabilities, focusing on APIs and legacy devices with lower protection, organizations must evolve their defenses. By understanding these evolving threats and adopting solutions like those offered by Netacea, businesses can ensure robust defenses against a constantly shifting landscape of threats.