5 Scariest Bot Attacks of 2022, Blocked by DataDome

With a front-row seat to all the new ways cybercriminals are targeting online businesses, we’ve seen our share of spooky cyberattacks! Below are the five scariest bot attacks DataDome has mitigated for customers in 2022.

1. Massive 4-Day Mayday

Heavily Distributed Credential Stuffing Attack

What’s scarier than blocking a heavily distributed credential stuffing attack? An unblocked distributed credential stuffing attack. Luckily, our customer was well-protected by DataDome.

Credential stuffing attacks put your user accounts at risk. They target all kinds of industries, ranging from e-commerce websites, to gambling, to streaming services.

In May 2022, a credential stuffing attack targeted one of our customers—a gaming platform—and lasted 4 days.The attack was distributed across more than 91 million distinct IPs. Each IP address made ~1.18 malicious login attempts. Traditional rate limiting policies would not have been triggered by the distribution of requests, making them ineffective.

In addition, the IP addresses attacking our customer were mostly clean, and had not been involved in other malicious activity against any customers in the week prior. Because of this, common defenses like IP block listing would not have helped stop the attack.

In total, the attacker made 107,930,521 malicious login attempts!

The map below reveals the number of malicious login attempts by country of origin, showing this attack was distributed all around the world. The attacker had a significant pool of clean IPs located in countries ranging from the US, to France, to China.

2. April’s Aggressive Ambush

39M DDoS Attack on Classified Website

In April, a DDoS attack targeted a European classified website and mobile application and included over 39 million bad bot requests. Beginning on a Friday and lasting through Saturday, the site was under active DDoS attack for ~4 hours. The attack was split into two waves:

• Wave 1: Friday night, between ~18:00 and ~0:00 (CEST).
• Wave 2: Saturday morning, between ~10:00 and 12:00.

Requests came from all around the world, though the grand majority were from the US (24M), Honduras (3.4M), Germany (2M), and Canada (1.7M). The requests originated from low-quality autonomous systems—that is, either data-center autonomous systems or systems frequently linked to attacks. Here is a graph showing the number of requests per autonomous system (AS):

3. September’s Savage Scalping

200M Request-Per-Day Scalping Attack on E-Commerce Website

In September 2022, we observed a large ongoing stream of requests originating from ISP proxies (proxies hosted in data centers but registered under ISPs) used to conduct scalping attacks. Bots were constantly monitoring the availability of limited edition products on two websites/mobile applications—ready to launch bots to buy them as soon as they became available.

The graph below shows the scalping traffic originating from ISP proxies that belong to AT&T and Time Warner Cable (TWC) during September. It was not uncommon to see spikes of over 100M requests in 12 hours, which represents more than 200M bad bot requests daily coming solely from ISP proxies on just two e-commerce customers targeted by scalpers.

4. February’s Frightful Fraud Fight

Large-Scale Scraping Attack Using Bots as a Service

This attack leveraged BaaS (bots as a service) and lasted ~19h, consisting of ~15.5M requests distributed from more than 500K residential proxies. On average, the large-scale scraping attack generated ~150K requests every 10 minutes on our customer’s servers.

The attack was also heavily distributed across IP addresses coming from different countries:

It was no surprise that most requests came from Europe, because the target was a leading European website. The BaaS automatically selected IPs located in realistic countries to avoid being blocked easily.

5. Jarring July

DDoS Attack Launched From Free Proxies

In July, a coordinated DDoS attack targeted four different websites/applications, with a spike of over 550K bad bot requests per minute. The sites targeted belonged to different categories: e-commerce, classified, and community/social network—each represented by a unique color in the graph below.

This attack leveraged mostly free proxies to distribute its requests.

The malicious traffic seemed to be linked to the same attacker, even though the four targeted customers don’t share anything in common. Additionally, requests targeted seemingly insignificant pages: home page and category pages.

From a fingerprinting point of view, the different spikes don’t share many common characteristics, besides all being outdated. None of the bots executed any JavaScript (JS). In general, bots operating from free proxies are simple: no JS execution, poor or no cookie support, and inconsistent/outdated fingerprints.

Free proxies, despite being low quality (high latency, bad reputation), can cause significant damage to unprotected sites and apps. Attackers can easily find a number of free proxies that can be used for any purpose—ranging from DDoS to credential stuffing and vulnerability scanning.

Conclusion

Bot attacks can come in different forms: credential stuffing, scalping, scraping, DDoS attacks, and beyond. Attackers leverage a wide variety of techniques to distribute their attacks including free proxies, ISP proxies, and residential proxies. And with bots as a service, scaling sophisticated attacks is easier than ever.

These types of attacks are happening every second across the internet, led by a terrifying number of cybercriminals determined to exploit business websites, apps, and APIs. Don’t be left in the dark—you can at least find out what attacks are targeting you with our free trial. We’ll be happy to bust some bad bots before they can get to you.