In this article, we cover the details of an aggressive credential stuffing attack that targeted the e-commerce arm for multiple global grocery store chains. By the end of the attack, which lasted five days, more than 42 million requests had been blocked by DataDome’s protection.

Key Metrics

For 5 days total—3:40 p.m. CEST on Jul 13 to 12:00 p.m. on Jul 18—the mobile app API used by several global grocery store chains was targeted in a credential stuffing attack.

Credential Stuffing Attack Overview

The graph below (Figure 1) represents the bot traffic handled over the course of the five-day attack by our detection engine. The attack reached a peak of ~2.3 million requests per 30 minutes at the end of the first day of the attack.

Figure 1: Number of bot requests handled by the DataDome bot detection engine over time during the attack.

Distribution of the Attack

Over the length of the attack, the attacker used more than 1.3 million IP addresses located on different autonomous systems (AS). Figure 2 represents the number of IP addresses used by the attacker per type of AS.

Figure 2: Number of IP addresses used for malicious requests by each type of AS involved in the attack.

Attack Indicators of Compromise (IoCs)

While the attacker leveraged mostly residential American IPs, and there were no obvious inconsistencies in the headers, there were some commonalities between requests:

• The attacker used two different user-agents tied to the mobile applications.
• Bots made only a few requests per IP address, and all of them were graphQL requests.
• Bots made requests from new sessions.
• Bots didn’t execute JavaScript or the SDK on any request.

How was the attack blocked?

Thanks to our multi-layered detection approach, the attack was blocked using different independent categories of signals. Thus, had the attacker changed part of its bot (for example, fingerprint or behavior), it would have likely been caught using other signals and approaches.

The main signals and detection approaches here were related to inconsistent behavior:

• Login speed: The bots were able to log in much faster than legitimate users.
• New sessions: Many bots made their very first request on login.
• Short cookie length: Many bots made requests with a short cookie length.

Conclusion

Credential stuffing attacks can cause massive drains on your server resources, not to mention the risk of account takeover that can lead to negative impacts on brand reputation and customer experience. These attacks can be performed by one or two IP addresses—but more and more attackers are using highly distributed methods to try and bypass protection.

DataDome’s powerful multi-layered ML detection engine looks at as many signals as possible, from fingerprints to reputation, to detect even the most sophisticated bots. Our new solution, Account Protect, focuses specifically on identifying and stopping even the most sophisticated account fraud, whether it’s led by bots or humans. Keeping up with bots evolving fingerprints, such as proxy usage, is key to fighting today’s main threats—and DataDome can handle it.

To get a better look at how DataDome can stop credential stuffing attacks, schedule a demo today.