These are exciting times in the digital media industry. The way that media companies deliver and monetize their content is shifting from traditional cable/satellite delivery models to over the top (OTT) streaming services.
These shifts are driving new business models for the media companies, something that hasn’t gone unnoticed by fraudsters. There is a robust criminal ecosystem that is acting as a parasite on the wave of content shifting to OTT delivery models.
The same week that Disney unveiled its blockbuster new streaming video service, I presented new research detailing the massive increase in criminal attacks targeting the OTT industry, during NAB, the broadcast industry’s largest global convention.
I’ll share the data, the attack surfaces and some suggested protections in a moment, but join me in recognizing how much our world has changed: I was not talking about attacks on the public sector, e-commerce, or financial services. I was presenting at a broadcast convention, and at a full-day, pre-convention track devoted to cybersecurity, no less. Our adversaries have clearly realized that one of the most attractive targets today is the so-called “Bank of OTT”.
ATO (Account Takeover) and related fraud is a major problem across many industries. Early in 2018, our threat research team noticed an uptick in ATOs targeting the media industry. So, we decided to research the scope of this problem. We reached the surprising conclusion that the media industry sees significantly more ATO attacks than financial services.
There are several steps to an ATO attack. The attacker will often leverage a turnkey bot infrastructure to do much of the heavy lifting. He/she will select the login sites they wish to attack and load a large database of previously spilled credentials into the tool. The attacker is hoping that 1%-2% of these account owners will re-use their credentials on media sites, allowing him/her to take over those accounts and resell them.
The source of the credentials could be either a free download or a premium list that the attacker purchased. The constant inventory of freshly spilled credentials, disclosed via various breaches, give the attackers massive databases to test. Some of the databases can reach 750,000,000 credentials in one offering.
Many of these turnkey bots will come with out-of-the-box evasions for basic defenses: CAPTCHA-solvers are standard; the ability to load large databases of proxy servers is also a standard feature. This helps the attacker stay under the radar and avoid huge volumes of requests coming from a small number of IP addresses; in fact, most skilled operators will make less than one request per hour against a single target.
It isn’t difficult to understand what is driving the massive volume of attacks targeting the media industry. These attacks are profit motivated. Last month’s takedown of one service illegally selling a subscription to a group of popular music and video streaming services provides a glimpse into the operation of the underground market for illegal access to OTT content.
There is a thriving criminal ecosystem that is growing parasitically on the exploding OTT music and video streaming industry. The fraudsters business model is pretty straightforward: sell a cheap subscription to a variety of popular OTT services to buyers who are willing to purchase a dodgy subscription to save a few bucks a month. The alleged fraudster in this case had more than 100,000 paying customers and had compromised more than 1,000,000 accounts to legitimate streaming services.
As legitimate OTT sites discover that accounts have been taken over, these user’s login credentials will be reset. This forces the criminals to continuously discover new accounts to takeover.
Based on our research, we were able to detect more than 11.5B credential stuffing attacks targeting media sites in 2018. That total is far more than the number of attacks observed targeting the financial services sector, which continues to see more than a billion attacks itself. This suggests attackers prefer to rob the “Bank of OTT” more than traditional banks.
These credential stuffing attacks present some unique challenges for security teams tasked with defending OTT services. They can be successful even if the website has perfect security, zero defects in coding or missed patches. The success of the attack may come down to the security hygiene of the site’s users. If the user has reused credentials that were spilled in another site’s breach, then his/her account is at risk.
Recommendations for combating these attacks include educating users to select unique and ideally long passwords for each site. Disrupting the attacker’s use of automation is also very important, as these attacks aren’t economically viable via manual attack methods. The battle between attacker using automation and defenders looking to detect signs of automation leads to a very active detection/evasion cycle with new innovations taking place by both parties on a frequent basis.