Why Do Credential Stuffing Bots Target Live Streaming Events?
Streaming services are one of the most popular targets for cybercriminals. Using automated bots, attackers steal millions of streaming accounts each month. Adversaries quickly sell these via illegal marketplaces to make massive profits.
Although any streaming service is vulnerable to account takeover and credential stuffing attacks, there are additional risks and damages when live event streaming is on offer. Read on to find out why the distinction between on-demand and live streaming matters to bots, and how to protect your streaming service.
Two Types of Media Streaming and Why It Matters to Bots
There are two main types of media streaming – on-demand, and live events.
On-demand streaming
In OTT (over-the-top) streaming platforms, most of the content is pre-recorded and available at any time.
The convenience of picking your own viewing schedule is part of the appeal of OTT services over traditional broadcasting. Consumers don’t need to be home at a certain time to watch their favorite shows anymore.
A highly anticipated new release may spur a spike in binge watching, but typically there’s very little urgency to watch a particular show at a certain time.
Live event streaming
While live streamed events could be watched later on-demand, most people prefer to watch in real-time “as-it-happens”.
This is especially true of sports events, with several hugely popular streaming services dedicated to boxing, football, baseball and racing around the world. The reason for buying a subscription or one-off pay-per-view fee is to watch the event live.
On-demand providers branching out to live events
While some OTT services focus solely on live broadcasts, several providers with large on-demand libraries offer occasional live events as part of their package.
For example, Peacock features many NBC-owned and third-party TV shows and movies to watch on demand, but also carries live sporting events such as NFL football, the Olympic Games, and FIFA World Cup matches.
From January 2025, WWE RAW will move from cable TV station USA Network to exclusively streaming live on Netflix; At present, the show attracts on average 1.7 million viewers in the US every Monday night, which will add significant regular concurrent viewership to Netflix – a big change for a platform that currently specializes in “on-demand” over live streaming.
How Bots Take Advantage of Streamed Events
If your streaming service has ever broadcast a live event, it’s very likely you had more bots as well as more users on the platform during this time. Here’s why:
More traffic makes it easier for bots to hide
Live events cause spikes in traffic outside of normal seasonality for streaming sites. Bot operators anticipate these spikes based on when live events are scheduled and coordinate their attacks to hit during these times.
The more legitimate traffic there is on a web service, the easier it is for bots to fly under the radar. Using traditional bot management methods of checking every request in isolation, distinguishing between good and bad traffic gets more difficult with more requests to manage per minute.
More risk of outages and overloaded infrastructures
While OTT streaming services are built to serve huge volumes of media streaming, their login portals and other services aren’t designed to cope with sudden traffic. Yet at peak times, bots account for as much as 90% of all login requests, pushing up infrastructure requirements for no business benefit while risking outages and performance issues.
False positives have an immediate negative impact on customers
When streaming services detect illegitimate activity, they can check the legitimacy of the affected account (such as resetting the password, enforcing MFA or showing a CAPTCHA challenge), or block that user entirely. However, because bots can very closely mimic characteristics of human visitors, there is a risk of acting on false positives – affecting a genuine customer.
This is worse during a live streaming event as by the time the customer complains and their access is restored, they will have missed some (or all) of the event they wanted to watch, affecting their experience and reducing the likelihood of them retaining their subscription later.
- Multiscreen restriction lockouts
Most streaming services limit the number of devices that can access content at any one time or prevent people in other homes accessing an account. This is to cut down on password sharing and maximize revenues as everyone using the service is paying to do so.
However, if an account is stolen, the rightful owner may find themselves locked out because the thief (or someone who bought access from the thief) is already watching via their account. Again, this can be complex to resolve, causing disruption and frustration for customers at peak times like during live events.
How to Protect Live Events from Bots
Protect all sites, apps and API endpoints
Most streaming services manage dozens (if not hundreds) of apps across various devices, from different smart TV brands and gaming consoles through to mobile app stores and set top boxes. It only takes one of these to be unprotected for bots to find a way in.
Most bot management solutions focus their efforts on analyzing requests on the client side, yet API login requests don’t use clients – and maintaining SDKs across every app version adds huge complexity.
Server-side bot protection solutions like Netacea are totally agnostic to where requests originate – be that via websites, apps or APIs – offering full protection and no easy way in for bots. Plus, server-side solutions are easier to maintain, always delivering the latest detection techniques.
Use AI to spot patterns of behavior in large traffic datasets
Although bots take advantage of the huge volume of requests hitting streaming sites during live events to disguise their attacks, this plays into the hands of bot detection solutions like Netacea that analyze the totality of traffic.
Rather than investigating individual requests in isolation, Netacea uses machine learning to analyze this huge data set in real-time to cluster patterns of behavior together. This means that bots lose the ability to evade detection because even a bot with a fresh IP, user agent etc. must ultimately act in the same way to conduct their attacks. Machine learning models will detect and block these regardless.
Case study: Protecting a Streaming Service from Bots During a Live Football Game
A major US video streaming platform held exclusive rights to air American Football’s “Big Game” in February 2024, expecting 120 million live streams. Ensuring uptime and stability was crucial. However, the anticipated high traffic posed a risk of malicious bot attacks, particularly targeting customer accounts.
To protect against credential stuffing and fake account creation targeting their many apps and APIs, Netacea implemented AI-powered bot protection, analyzing every login and registration request. Unlike client-side tools that are complex to install and easily bypassed, Netacea’s solution integrated directly into the client’s CDN, leveraging the Intent Analytics® engine to block sophisticated attacks in real-time.
Netacea Bot Protection blocked five million malicious requests during the game and its aftermath with an incredibly low false positive rate of 0.0001%, ensuring genuine customers were unaffected. About 35% of authentication API requests were malicious bots, including over a million from disguised Xbox consoles. With inadequate protection, credential stuffing attacks could have compromised 1,000 accounts – thankfully this wasn’t the case with Netacea in their defensive line.
Get the same results for your live streaming platform and keep bots at bay – Start with a demo of Netacea Bot Protection.
