Tales from the Front Lines: Retailer Prepares for Holiday Bot Battle in a Matter of Weeks

December 7, 2020

Following on the retail win posted previously, this week’s win is a clothing and home décor retailer that had an account takeover/credential validation challenge that their incumbent solution was unable to address. Bad actors were targeting APIs supporting both their web and mobile logins, successfully executing ATOs. Once the account was taken over, they were used to commit fraud or sold to other bad actors for their own use. At one point, the incumbent’s efficacy was so low that the customer was forced to block large swaths of IP addresses that included both the attackers and legitimate shoppers, resulting in user frustration.

The Search Was On

When the decision was made to move to a new vendor, the customer used their past experience to frame the key requirements to support their dynamic environment:

  • Bot mitigation should be deployed near their cloud-based applications, at the edge, as opposed to their AWS environment.
  • The customer wanted to minimize or eliminate infrastructure and mobile application integration, which limited the customer’s ability to rapidly deploy new applications.
  • Access to attack campaign information and the ability to export that data to other systems for a centralized view was critical.

During the initial conversations with Cequence, it appeared that the customer requirements were easily met, however, speed was of the essence as the customer wanted deployment before the holidays. Cequence Bot Defense SaaS was deployed in a matter of hours, requiring only a traffic redirect from Amazon CloudFront to Bot Defense SaaS for analysis, then on to the application origin.

Without the additional development, QA and 3rd party validation cycles required by JavaScript and SDK integration, Bot Defense with CQAI allowed the development team to focus on delivering new apps and features quickly. Once deployed, analysis by CQAI began to show ongoing attacks against both mobile and web applications.

Working closely with the CQ Prime threat research team, several significant attack campaigns were uncovered:

  • A large ATO attack on the web login application that represented 35% of the total traffic at more than 1.5 million attack requests, averaging 200 requests per minute and distributed across more than 220,000 IP addresses.
  • An ATO attack on the mobile login represented 98% of the traffic over a 2 day period with more than 1.5 million requests distributed across 1,200 IPs at a rate of about 1,000 requests per minute.
  • A “low and slow” ATO was also observed on the mobile login with an average of 6 requests per minute distributed across a mere 50 IP addresses.

The final PoC requirement was to export the Bot Defense findings and results to the customer’s centralized dashboard was easily met using the standard set of APIs that enables data to be exported to external systems, thereby enhancing the organization’s collective security posture.

No Additional Vendor Analysis Needed

The evaluation of Bot Defense was both rapid and successful – so much so that the customer chose to halt any further evaluation of other bot mitigation vendors. The next step was licensing, threat hunting training with the CQ Prime threat research team, and ramping up to full production to be ready for the holidays.

Learn more about how Bot Defense sets itself apart from other, first-generation bot mitigation alternatives here.

ATOBot DefenseCQAICustomersJavascriptRetail

About the Author

Matt Keil

Director of Product Marketing

Unified API Security Bot Management
29 July 2022

Mergers and Acquisitions in API Security and Bot Management

Read More
Whats New
2 May 2022

What’s New: Cequence API Security Platform Further Advances End-to-End Vulnerability and Automated Attack Mitigation

Read More
12 April 2022

Cequence Named a Strong Performer in The Forrester Wave™: Bot Management

Read More
The Gartner Hype Cycle for Application Security, 2021
22 March 2022

Are API Threat Protection and Bot Management Related?

Read More
3 December 2021

2022 Predictions: Protecting an API-Centric World

Read More

Subscribe to our blog