In this article, we cover the details of a fake account creation attack that targeted a well-known event ticketing platform in Europe. By the end of the attack, which lasted less than a day, more than 147 million malicious fake account creation attempts had been stopped by DataDome’s protection.

Key Metrics

For 21 hours total—9 p.m. on Apr 11 to 6 p.m. on Apr 12—the login & account creation endpoints of a European event ticketing platform were targeted in a fake account creation attack.

Fake Account Creation Attack Overview

The graph below (Figure 1) represents the bot traffic detected during the 21-hour attack by our detection engine. The attack reached a peak of nearly 6 million requests per 30 minutes just three hours in.

Figure 1: Number of malicious fake account creation requests handled by the DataDome bot detection engine over time during the attack.

Distribution of the Attack

Over the length of the attack, the attacker used more than 299,000 IP addresses located on different autonomous systems (AS) in different countries. Figure 2 represents the number of IP addresses used by the attacker per country, as well as the type of AS, for the top five countries.

Figure 2: Number of IP addresses used for malicious requests in the top five countries involved in the attack, separated by type of proxy (ISP versus other kinds, like data center proxies).

While the underlying technology was likely the same, the attacker also varied which browser the bots appeared to be using by altering the user-agent, with Firefox as the primary browser and Chrome a close second. Figure 3 represents the number of malicious requests per “internet browser” used by the attacker.

Figure 3: Volume of malicious requests per “browser” involved in the attack.

Attack Indicators of Compromise (IoCs)

The attack was heavily distributed with more than 299K IP addresses, and the attacker used ~6,000 distinct user-agents based on different browser versions. Still, there were some commonalities between requests:

• Every bot used the same accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7.
• Bots varied the number of requests they’d make per IP address used.
• Bots used clean residential IP addresses, around half of which were proxies that had not yet been observed in attacks on other customers DataDome protects.
• The attacker made requests on only three URLs: Homepage, Login, and /account.
• Bots didn’t execute JavaScript on any request.

How was the attack blocked?

Thanks to our multi-layered detection approach, the attack was blocked using different independent categories of signals. Thus, had the attacker changed part of its bot (for example, fingerprint or behavior), it would have likely been caught using other signals and approaches.

The main signals and detection approaches here were the following:

• Lack of JavaScript execution: The attacker never sent any of the JS payloads, either from our JS tag or our Device Check page.
• Behavioral detection: Our behavioral engine detected an abnormal volume of requests on valuable paths per IP address.
• Server-side fingerprinting inconsistency: The attack had a unique server-side fingerprint hash that exhibited some inconsistencies.

Conclusion

On top of the server resource drain caused by so many requests, fake account creation and other types of account fraud can cause massive damage to your customer experience, brand reputation, and profits. These attacks can be performed by just one or two IP addresses—but more and more attackers are using highly distributed methods to try and bypass protection.

DataDome’s powerful multi-layered ML detection engine looks at as  many signals as possible, from fingerprints to reputation, to detect even the most sophisticated boots. Keeping up with bots evolving fingerprints, such as proxy usage, is key to fighting today’s main threats—and DataDome can handle it.

To get a better look at how DataDome can stop fake account creation attacks, book a demo today.