Top 4 Malicious Automation Attacks & How to Detect Them

PUBLISHED ON June 24, 2019
LAST UPDATED August 19, 2021

We first introduced malicious automation in Part I of this blog series. We shared how malicious automation is becoming a common element of the threat landscape for organizations in nearly every vertical. In Part II of this series, we want to dive into the top 4 types of malicious automation attacks that we see most often across our ThreatX customer base. They include:

  1. Distributed Password Attacks
  2. Credential Stuffing
  3. Fake Account Creation
  4. Carding 

Distributed Password Attacks

Distributed password attacks (also known as brute force attacks), occur frequently in the wild. With these attacks, a bot attempts to break into an account (usually one with high-value) by running through a series of username and password combinations to find one success. Generally, the success rate for these types of attacks is 1-2%, and that is considered good by attackers. How does that 1-2% of successful attacks pass through traditional web application defenses?

Hackers have gotten smart and they know that it’s harder to both detect and to block an attack that’s widespread. So, they will coordinate an attack across a large number of hosts. And if they go undetected and they are successful in account access, they can access the information that motivated the attack in the first place. Often times, it’s to recover personally identifiable information (PII) or somehow influence public opinion through commentary or one-sided rhetoric.

If there are three things you need to know about these types of attacks, it’s…
1. These attacks aim to obtain access to a high-value account
2. Detection is often avoided due to the use of various hosts and points of presence
3. The most common targets are administrative interfaces and applications with “high-value data,” such as PII.

Credential Stuffing

There have been an unfortunately large number of successful credential stuffing attacks. Organizations like Dunkin’ Donuts, Nest, and Dailymotion are just a few of the recent victims. Credential stuffing is a variation of a distributed password attack in which uses password combinations acquired from a previous data breach….this information is surprisingly easy to obtain on the dark web. Sometimes the attacker’s goal is to break into a targeted website. Other times, it can be to just figure out which credentials acquired from the dark web are still valid and from which web sites.

Once a match is found, the attacker can seamlessly commit various types of fraud:
– Make a purchase
– Steal important information
– Impersonate a valid user to exploit information or exert influence
– Sell the validated credentials on the dark web

In our experience, organizations in the retail, financial services, healthcare, and hospitality industries are most at risk for such an attack. 

Fake Account Creation

Another common type of malicious automation attack is fake account creation. In this scenario, an automation will create numerous, but fake, accounts on a website. These fake accounts are then used to wreak havoc on an organization.

For example, fake accounts can be used to tie up inventory by placing items in an online shopping cart from various accounts and never completing the purchase. Another example is voting fraud. This could look like fake reviews on a website or even casting fake votes to sway a political election.

The challenge with this type of attack is that it is done over a period of time, “low and slow.” That makes it particularly difficult to detect through anomalous traffic or behavioral monitoring. So for social media sites, review sites, online voting, and retailers with limited inventory (tickets, shoes, etc.), who are the common targets for these attacks, this must be top of mind.


Carding attacks, not entirely unlike credential stuffing attacks, often are motivated to simply validate credit card numbers and resell that information to the dark web. In this case, the hackers are working with credit card numbers or gift card IDs. They “spray and pray” on numerous sites to validate them, typically through small purchases. These smaller purchases often go unnoticed by security tools and by the true owner of the credit card. Once a card is validated, they can sell the credit card information on the dark web.

It’s no surprise here that the retail vertical is the most common target for this type of an attack. However, this kind of attack can be executed on any site that requires a credit card to complete a transaction or to sign up. Fundraising and donation sites are a great example. And unfortunately, this happens far too often and results in negative impacts on the credit card companies and on the sites where these fraudulent transactions occur.

Unfortunately, a lot of malicious automation is “invisible” to traditional WAFs due to the methods with which they filter traffic. Some of the “low and slow” attack methods can appear no different than regular website traffic to many security tools. The persistent execution of common behaviors over a certain period of time must be flagged, and only now are we seeing the development of “smart” security tools that can effectively recognize this.

We have already seen various instances of the aforementioned attacks against our own customer base in 2019. In the next segment of this blog, I’ll share a real-world use case for each one of these attacks, including details on how it was detected and what actions (automated or otherwise) were taken to not only block the attack but prevent it from happening in the future with ThreatX’s web application solution. These mitigation techniques can be used to strengthen your own security of external internet presences.

Do you need a stronger WAF to keep up with today's appdev demands and advanced hackers?


About the Author

Chris Brazdziunas

Chris has a proven track record of leading global product and R&D organizations to deliver large-scale enterprise software and security solutions. Prior to joining ThreatX, Chris held multiple senior product management and engineering positions, most recently serving as the Vice President Product at market leading SIEM provider LogRhythm, where she was responsible for product strategy, product operations, and development. Chris holds an M.S. degree in Information Networking from Carnegie Mellon University and a B.S. in Computer Engineering from the University of Illinois.