Checker Bot
What is an account checker bot?
An account checker bot is an attack tool that takes lists of leaked username and password pairs and tests them against a website.
Many websites cannot distinguish bot interactions from normal human interactions and consequently they accept this type of bot traffic. Because of it, account checker bots are still popular amongst cybercriminals.
How hackers use checker bots
The attackers use account checker bots to test stolen credentials. The attacker may then also use this account for other malicious purposes such as spam. Successful logins can result in account takeovers.
Attackers can find and use publicly available lists of credentials, in combination with account checkers, to find vulnerable accounts which they then use for various fraudulent activities. You can use this tool to check if your email address has appeared in any data leak.
Why do they use it?
Attackers use the account checker bots as a way of easily checking if their compromised credentials can be used to log into different websites. With one click of the button they can find out whether an account exists on any number of websites or not. This allows them to try other random combinations of usernames and passwords until they finally unlock one that works. If it does, then there’s every chance that the attackers will then go back to this website and start using the newly found login details for whatever purpose they require – perhaps even email spam.
Why is it dangerous?
Using account checker bots also helps hackers gain access to confidential user data which can lead to further identity theft and fraud. When you enter your personal information on any website, there is a chance that your credentials will be leaked and made public. All your passwords could end up on online databases. There are even people out there who harvest these usernames and passwords known as “credential harvesters” or just “harvesters”. One of the ways they use to collect all sorts of credentials from different sources is by using bots or account checker bots to run large-scale checks against websites. Another way for them to get their hands on personal information through these account checker bots is by searching for previously leaked sites where users have used weak or duplicate passwords across multiple accounts.
How to protect your accounts from checker bots?
There are several ways that you can protect your accounts from checker bots:
- Don’t use the same username and password combination for two different websites.
- Use stronger passwords, a longer password is more secure than a short one.
- Avoid using personal information or easy to guess words (for example, names of your children).
- Never use the same password twice; avoid reusing the same password on multiple sites.
- Always remember to change your passwords regularly.
- Use two-step verification such as Google Authenticator, which generates an account validation token in addition to your password when logging into any site.
How to protect your customers from checker bots?
As a webmaster, you can take several measures to protect your customers from checker bots:
- You can implement CAPTCHAs that will make it harder for the attacker to successfully log in.
- Blocking IP addresses or ranges from which malicious bot traffic is known to originate.
- Use strong authorization for all sensitive areas of your website.
- If possible, block access after a number of failed login attempts occur within a short time.
- Use secure password hashing and salting for all user passwords that are stored in your database. This ensures that even if hackers get their hands on the hashed passwords, they cannot use them to log into your site.
- Check if there is an account with the same email address as in your leaked website in a public data breach sites such as Have I Been Pwned. If yes, reset it and notify users about it immediately.