Tales from the Front Lines: Retailer Prepares for Holiday Bot Battle in a Matter of Weeks

December 7, 2020 | by Matt Keil

Following on the retail win posted previously, this week’s win is a clothing and home décor retailer that had an account takeover/credential validation challenge that their incumbent solution was unable to address. Bad actors were targeting APIs supporting both their web and mobile logins, successfully executing ATOs. Once the account was taken over, they were used to commit fraud or sold to other bad actors for their own use. At one point, the incumbent’s efficacy was so low that the customer was forced to block large swaths of IP addresses that included both the attackers and legitimate shoppers, resulting in user frustration.

The Search Was On

When the decision was made to move to a new vendor, the customer used their past experience to frame the key requirements to support their dynamic environment:

  • Bot mitigation should be deployed near their cloud-based applications, at the edge, as opposed to their AWS environment.
  • The customer wanted to minimize or eliminate infrastructure and mobile application integration, which limited the customer’s ability to rapidly deploy new applications.
  • Access to attack campaign information and the ability to export that data to other systems for a centralized view was critical.

During the initial conversations with Cequence, it appeared that the customer requirements were easily met, however, speed was of the essence as the customer wanted deployment before the holidays. Cequence API Spartan SaaS was deployed in a matter of hours, requiring only a traffic redirect from Amazon CloudFront to API Spartan SaaS for analysis, then on to the application origin.

Without the additional development, QA and 3rd party validation cycles required by JavaScript and SDK integration, API Spartan with CQAI allowed the development team to focus on delivering new apps and features quickly. Once deployed, analysis by CQAI began to show ongoing attacks against both mobile and web applications.

Working closely with the CQ Prime threat research team, several significant attack campaigns were uncovered:

  • A large ATO attack on the web login application that represented 35% of the total traffic at more than 1.5 million attack requests, averaging 200 requests per minute and distributed across more than 220,000 IP addresses.
  • An ATO attack on the mobile login represented 98% of the traffic over a 2 day period with more than 1.5 million requests distributed across 1,200 IPs at a rate of about 1,000 requests per minute.
  • A “low and slow” ATO was also observed on the mobile login with an average of 6 requests per minute distributed across a mere 50 IP addresses.

The final PoC requirement was to export the API Spartan findings and results to the customer’s centralized dashboard was easily met using the standard set of APIs that enables data to be exported to external systems, thereby enhancing the organization’s collective security posture.

No Additional Vendor Analysis Needed

The evaluation of API Spartan was both rapid and successful – so much so that the customer chose to halt any further evaluation of other bot mitigation vendors. The next step was licensing, threat hunting training with the CQ Prime threat research team, and ramping up to full production to be ready for the holidays.

Learn more about how API Spartan sets itself apart from other, first-generation bot mitigation alternatives here.

Matt Keil


Matt Keil

Director of Product Marketing

Additional Resources