Boxed.com Ups Bot Protection Efficiency & Saves Time With DataDome

The Problem: Sophisticated Credential Stuffing Attacks

“As a security person, my main concern with bot traffic is the threat of account takeovers,” said a member of the Boxed security team. “Of course, we also need to protect dynamic prices and other web real estate from scraping that will affect our product and marketing teams. But for me, the key is to protect our customer accounts, and to prevent fraudulent credit card transactions, chargebacks, loss of inventory, and things of that nature.”

A security-conscious company, Boxed had implemented a well-known bot protection system early on. The tool had eliminated most of their scraping issues, and it was doing a good job on basic credential stuffing attacks, but attacks were evolving and becoming more sophisticated.

Thus, the Boxed security team pursued alternatives for bot protection and, after a thorough search process and analysis of available options, they launched a free trial of DataDome.

The Solution: Best in Real-Time Test

The architecture of DataDome’s server-side modules makes it very easy to do side-by-side comparisons with other bot protection technologies. By installing DataDome in monitoring mode in front of the existing protection on Fastly, the Boxed security team could compare actual results from real traffic.

And the actual results were compelling. During the trial, Boxed discovered unusual activity in the logs. DataDome instantly detected an ongoing credential stuffing attack.

(DataDome dashboard shows the credential stuffing attack in real time.)

“DataDome’s technology is very good,” said the Boxed security team member. “When a new version of Puppeteer came out, DataDome caught it right away. I also liked the user interface better than any other competitors we looked at. Finally, performance is key for us, and DataDome delivered just the right mix of blocking technology, performance, and price.”

The Results: Proactive Protection, Significant Time Savings

Today, DataDome protects both the Boxed website and mobile apps from bot-related threats. Boxed particularly appreciates the responsiveness of DataDome’s threat researchers. 

“The threat intelligence team is excellent. They understand that a lot of this is about speed,” the security team member notes. “When we have an attack, or a spike in bot traffic, the first hours are critical. DataDome tends to remediate zero-day threats rapidly.” 

During the Apache Log4j security crisis, the Boxed team was able to experience first-hand what DataDome can do when it really matters.

“That was huge!” the security team member attests. “The DataDome threat research team had detection for Log4j within something like 24 hours, without being prompted. As a security person, I can’t tell you how fantastic that was. We weren’t actually affected by the vulnerability, but we had the protection there right away.”

Besides the rather essential business of keeping Boxed’s customer data safe, the main benefit of DataDome for the Boxed security team is the time saved.

“I have internal logs where I can see failed logins and all types of email mismatch alerts,” the Boxed security team member explains. “For several months, there were zero internal alerts and nothing to do. I would just get the DataDome attack notifications, log in to the dashboard, and see the attacks being stopped. Now, bot detection is a cat and mouse game and no solution will be perfect 100% of the time, but whenever I’ve escalated something and had the threat research team look at an issue, we’ve been able to stomp it out. So yes, DataDome is a tremendous time saver.”