Detect & Prevent Newly Observed Malicious Automation Attacks

PUBLISHED ON July 22, 2019
LAST UPDATED February 4, 2022

Just when you think you are one step ahead of hackers, they prove you wrong and set you four steps back. Hackers continue to find new and more devious ways of finding web app vulnerabilities and exploiting them. One such tactic is leveraging malicious bots and automation, which has grown in frequency, volume, and complexity. In fact, nearly 20% of all web traffic comes from malicious bots.*

In a previous post, I outlined a number of malicious automation attacks that we often see targeted against web applications and identified which industries and business types are most commonly attacked. In 2019 alone, we have seen each one of these attacks attempted on one or more of our customers. In this post, I’ll share a case study for each attack type and include preventative mitigation techniques (in order of importance) to help avoid future attacks.

Attack Type #1: Distributed Password Attack


A botnet was trying to log into a digital graphics customer’s admin portal. We noticed an abnormally large number of failed logins on the administrative page, alerting our security engineering team to the issue. All of these attempts were originating from a group of Ukranian IP addresses with numerous authentication attempts from each individual IP. This tactic kept the login rate low, allowing the botnet to successfully evade the basic rate limiting tactics that many traditional WAFs employ.


Because the ThreatX solution tracks individual entities over time as opposed to individual attacks, it was able to see the increasing number of authentication failures on the admin page and could trace these attacks back to individual IPs. While many traditional WAFs might miss this attack altogether, ThreatX leveraged progressive profiling of the handful of IPs to determine it was a malicious attack. ThreatX then established a block based on certain geolocation characteristics exhibited by these IPs combined with multiple failed login attempts. It’s important to note that this method still allows normal users to login from a similar location.


On any admin login pages or portals, you have a higher risk of a single account being compromised given the access and data that can be obtained. To help safeguard these portals, there are a few things you can do:

  1. Add multi-factor authentication (if possible, of course”)
  2. Add dynamic protection based on attacker traits (browser, capabilities of the browser, location, and the behavior)
  3. Utilize CAPTCHA if multi-factor authentication is not an option (though CAPTCHA has some effectiveness and limited)
  4. Set up alerts based on key potential malicious attack detection patterns, such as login failures

Attack Type #2: Credential Stuffing


A moderately sized botnet (around 5,000 – 10,000 IP addresses) were sending various credentials to the customer login/account login pages of a large online retailer. The authentication attempts failed nearly every time, but these types of attacks are only looking for one successful attempt to grant them access and expose data. A unique element of this attack was the low rate at which each IP address was being used, which would enable it to fly under the radar for most, basic WAF protections.


The ThreatX WAAP noticed an elevated rate of login failures and was able to track the number of distinct username/password combinations sent by each one of the IP addresses. The combination of these two elements was enough to flag this as a malicious credential stuffing attack. The attacking nodes were automatically blocked. However, to further mitigate the attack, a custom solution was implemented in which only IP addresses that exhibit similar credential stuffing behavior (multiple attempts combined with various username/password combos), would be blocked, thereby enabling valid customers to login.


There are a few things organizations can do to detect and prevent credential stuffing attacks:

  1. Implement multi-factor authentication for customers. While this is an extra (and often undesired) step, this helps safeguard customer data and strengthen application security protections.
  2. Monitor login forms in aggregate (i.e. total logins, percentage of failed logins over time, unique usernames attempted over time).

Attack Type #3: Carding


One particular ThreatX customer runs various media sites that require a paid subscription. In order to subscribe, their customers are required to provide credit card data. This media delivery customer noticed an elevated rate of new account registrations complete with credit card numbers that bounced. The goal of this attack was to test the card numbers and determine which of the cards (if any) were valid.


The solution to blocking this attack was a three-step process:

  1. We profiled the application signup workflow to determine which form was being targeted.
  2. Using the analytics ThreatX had previously collected on that form, we were able to identify the distinguishing characteristics of the attacking nodes, including user-agent, behavior, speed, geography, language preferences, etc. The sum of these characteristics did not look like a typical browser and the behavioral patterns did not reflect that of a regular user.
  3. Using this information, we blocked the bot nodes that exhibited those characteristics immediately and set up a long-term solution that would block future sign-ups that exhibit similar behaviors.


If your website requires or uses credit/gift card information to complete a sign-up or transaction, there are a few best practices to follow to prevent a carding attack from happening to you, including:

  1. Validate user accounts and email addresses during sign up. If possible, do this before you take any credit card data. This will reduce the number of fraudulent card transactions your business will process. AppDev teams are typically responsible for implementing this.
  2. Add behavioral profiling to important workflows (signups, checkouts, etc.) to make it easier to flag when the progression through said workflow falls outside of the expected pattern. This is something that the security team can implement and monitor.

Attack Type #4: Content Scraping and Evasion


We observed this particular attack against a major enterprise service provider that hosts multiple sites for product support and knowledge. These sites often contain valuable content for businesses, which explains why this customer was an attack target. To evade detection, a network of bots used a number of anonymous proxies to amplify the number of IP addresses available for their network. This made it increasingly difficult to detect.

Initially, we detected a spike in what looked like proxy traffic, which isn’t uncommon. Anonymous proxies are often used to obfuscate an attacker’s true origin. So our antennae were already up. What really triggered us was the volume of this attack, which was much higher than what we typically see. Upon further digging, we were able to determine that this was, in fact, a coordinated effort to bulk scrape content from a particular customer’s site.


Our WAF immediately (and automatically) began tracking and monitoring any additional proxy traffic. When the attributes of a bot swayed outside of the “norm” for user behavior, we automatically blocked those bots until the volume subsided. In this way, we were able to block the attack without disrupting the requests of friendly bots, such as SEO tools.


The following best practices will help your organization selectively block risky traffic (even if it’s a temporary block) and prevent such an attack from successfully scraping content from your website.

  1. Treat anonymized traffic as inherently higher risk and have a way to classify that traffic separately from other traffic. It may be beneficial to force additional authentication or even interrogation challenges that would be a dead giveaway for automated traffic.
  2. Consider blocking anonymous proxy servers, like Tor or I2P. While not all of the traffic from these will be malicious, a large portion likely will be.

These are real-world cases that our team witnessed and responded to in 2019. These types of attacks are growing in volume and intensity and it’s important to be knowledgeable about these types of attacks so you can recognize them when you see them. Perhaps even more importantly, our experiences with them can help you put precautions in place to prevent such attacks in the first place.

Want to learn more about blocking modern threats? We’ve compiled a guide that discusses the current trends in application security and hacker behavior and how security teams can keep up. It’s a modern security team’s guide to the current state of web application security.

*Based on research from the Distil Networks’ 2019 Bad Bot Report


About the Author

Chris Brazdziunas

Chris has a proven track record of leading global product and R&D organizations to deliver large-scale enterprise software and security solutions. Prior to joining ThreatX, Chris held multiple senior product management and engineering positions, most recently serving as the Vice President Product at market leading SIEM provider LogRhythm, where she was responsible for product strategy, product operations, and development. Chris holds an M.S. degree in Information Networking from Carnegie Mellon University and a B.S. in Computer Engineering from the University of Illinois.