How DataDome Protected a Cashback Website from an Aggressive Credential Stuffing Attack
In this article, we cover the details of an aggressive credential stuffing attack attack that targeted a cashback website. By the end of the attack, which lasted less than a day, more than 2.2 million malicious requests had been stopped by DataDome’s protection.
Key Metrics
For 15 hours total—11:30 a.m. on May 26 to 3 a.m. on May 27—the login endpoint of a cashback website was targeted in a credential stuffing attack.
Credential Stuffing Attack Overview
The graph below (Figure 1) represents the bot traffic detected during the 15-hour attack by our detection engine. The attack remained intense over the course of the attack, as we see a plateau in requests, rather than a series of peaks and valleys. For most of the attack, between 65K and 75K requests were made per half hour.
Figure 1: Number of malicious credential stuffing requests handled by the DataDome bot detection engine over time during the attack.
Distribution of the Attack
Over the length of the attack, the attacker used more than 16,600 IP addresses located in different countries. Figure 2 represents the number of IP addresses used by the attacker per country (inferred from the IP address), for the top five countries.
Figure 2: Number of IP addresses used for malicious requests in the top five countries involved in the attack.
Attack Indicators of Compromise (IoCs)
The attack was distributed with 16.6K different IP addresses, but there were some commonalities between requests:
- The attacker used a single user-agent:
Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148. - Every bot used the same accept-language:
en-US. - The attacker used data-center IP addresses, rather than residential proxies.
- The attacker made requests on only one URL: login.
- Bots didn’t include the DataDome cookie on any request.
How was the attack blocked?
Thanks to our multi-layered detection approach, the attack was blocked using different independent categories of signals. Thus, had the attacker changed part of its bot (for example, fingerprint or behavior), it would have likely been caught using other signals and approaches.
While this attack was aggressive, it was also relatively simple. The main detection signal here was server-side fingerprinting inconsistency. The attack had a unique server-side fingerprint hash, where the accept-encoding header content was malformed due to spaces missing between each value.
Conclusion
Credential stuffing attacks cause massive drains on your server resources, and come with the risk of account takeover that can lead to negative impacts on brand reputation and customer experience. These attacks can be performed by a singular IP address, but more attackers are using distributed methods to try and bypass protection—to varying degrees of success.
DataDome’s powerful multi-layered ML detection engine looks at as many signals as possible, from fingerprints to reputation, to detect even the most sophisticated bots. Our new solution, Account Protect, focuses specifically on identifying and stopping account fraud, whether it’s led by bots or humans. Keeping up with bots evolving fingerprints, such as proxy usage, is key to fighting today’s main threats—and DataDome can handle it.
To get a better look at how DataDome can stop credential stuffing attacks, book a demo today.
Related posts
How BPX Protected Revenue-Critical APIs from 6.6M Price Scraping Attacks
Tell me more
How Plarium Uses Intent-Based Detection to Block 20M+ Malicious Requests a Month
Tell me more
Inside Kimwolf Traffic: How Residential Proxies Fuel Credential Stuffing, Web Scraping, & Fraud
Tell me more
How to Prevent a Brute Force Attack with these 5 Powerful Strategies
Tell me more
