Increasing Costs, Decreasing ROI, Force Attackers to Give Up
In addition, attackers must invest in a costly proxy service leveraging mobile and residential ISP IP addresses, as a basic proxy service would no longer suffice. Their hosting costs will double (about $100 per month) per site they attack to manage the more complex workflow of solving the Arkose Protect™ challenges. Further, they must integrate the botnet with a CAPTCHA-solving service, which costs about $2.12 per 1,000 requests.
Attackers will spend significantly more time to complete a credential stuffing attack, making the attack more noticeable and prone to mitigation, which increases the number of retries required. Considering that the CAPTCHA solving service requires four tries for every successful validation, a million credentials would need four million requests to validate, costing about $8,480. Therefore, the total annual cost to attack a single website protected with Arkose Protect™ is more than $18,000.
To avoid detection, attackers must revisit and devise a more-sophisticated attack strategy to ensure:
The traffic is spread through a large number of nodes, seeing a botnet consisting of over 10,000 nodes spanning several continents is common;
The traffic looks like it is coming from residential and mobile ISP, since traffic coming from data centers is generally considered more suspicious;
The attack traffic mimics the legitimate traffic as much as possible. For example, if users are expected to follow a specific path before reaching a resource, such as first visiting the site’s home page, then accessing the login page, and eventually logging in, the attack traffic must follow a similar workflow;
The expected data is sent with some variety in the fingerprint, yet guaranteeing that the fingerprint is valid to avoid being detected. This is because bot or fraud detection products typically collect a fingerprint client-side consisting of device and browser characteristics and user preferences, which is then evaluated to differentiate bots from humans or uniquely identify devices.
Failed attempts are resubmitted as a large majority of the attack traffic will be successfully detected and blocked or challenged. This increases the time to complete the attack.
Arkose Labs helps leading social media platforms protect their platforms and consumers’ digital accounts with its future-ready bot management solution, while preserving the user experience. The smart bot management solution increases the cost of attacks and diminishes potential returns, forcing bad actors to abandon the attack or look for an unprotected target.
Request a customized demo to learn more.
REQUEST A DEMO CLOSE