How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
What is Web Scraping and Why is it a Threat?
Web scraping is the automated process of extracting large amounts of data from websites. While some scraping is legitimate (e.g., search engine crawlers), malicious scraping can be a significant threat. Competitors may scrape pricing data to undercut your business, attackers can steal proprietary content, and automated bots can create performance issues by overwhelming your servers.
Effective mitigation requires a multi-layered approach, as sophisticated scrapers are designed to mimic human behavior and evade simple defenses.
1. Basic Mitigation Techniques
These methods can deter simple, unsophisticated scrapers but are often easily bypassed by more advanced bots.
-
Rate Limiting: The most fundamental defense is to limit the number of requests a single IP address can make in a given time frame. If a client exceeds the threshold, their requests can be temporarily blocked or challenged. However, advanced scrapers use large pools of residential or datacenter proxies to distribute their requests across thousands of IPs, rendering simple IP-based rate limiting ineffective.
-
Robots.txt: The
robots.txtfile is a convention that tells well-behaved bots which parts of your site they should not crawl. While it's good practice to have one, malicious scrapers will simply ignore it. It is not a security mechanism. -
Require CAPTCHAs: A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) can be presented to users exhibiting suspicious behavior. While effective against basic bots, modern scrapers often use CAPTCHA-solving services, where human workers or AI solve challenges for a fee. Overusing CAPTCHAs can also harm the user experience for legitimate visitors.
2. Intermediate Mitigation Techniques
These techniques raise the bar for attackers, requiring them to invest more resources and sophistication.
-
Block Outdated User-Agents: Many simple scraping scripts use default or outdated User-Agent strings (e.g.,
python-requests/2.25.1). Maintaining a blocklist of common non-browser User-Agents can filter out a significant amount of low-effort scraping traffic. Sophisticated scrapers, however, will spoof legitimate, up-to-date User-Agent strings. -
Monitor for Headless Browsers: Modern scraping tools like Puppeteer and Selenium control real browsers in a "headless" mode (without a graphical user interface). It is possible to detect the presence of these tools by checking for specific JavaScript properties and browser inconsistencies that are characteristic of automated environments (e.g., the
navigator.webdriverproperty). -
Block Requests from Known Proxy/VPN Services: Maintain a list of IP addresses associated with common datacenter proxy providers, VPNs, and Tor exit nodes. While this can block many bots, it may also block legitimate privacy-conscious users. It is also less effective against residential proxy networks, which use real, legitimate user IP addresses.
3. Advanced Mitigation Techniques (Bot Management Solutions)
Sophisticated scraping operations require a dedicated, adaptive defense. This is where commercial bot management solutions excel, using a combination of advanced techniques.
-
Browser and Device Fingerprinting: This is one of the most effective techniques. It involves collecting a rich set of signals from the client, including:
- TLS Fingerprinting (JA3/JA4): Analyzing the parameters of the initial TLS handshake, which can reveal the underlying library or client used to make the request.
- HTTP/2 Fingerprinting: Examining the settings and frame priorities of an HTTP/2 connection.
- Browser Fingerprinting: Using JavaScript to collect hundreds of attributes about the browser and device, such as fonts, plugins, screen resolution, canvas rendering, and WebGL data. This creates a unique signature that can identify and track clients even if they change their IP address.
-
Behavioral Analysis: Instead of looking at individual requests, this technique analyzes user behavior over time. It tracks metrics like mouse movements, typing speed, page navigation patterns, and time spent on page. Bots often exhibit non-human patterns, such as impossibly fast navigation or perfectly linear mouse movements, which can be used to identify them.
-
Reputation Analysis: Bot management solutions maintain a global network that tracks billions of requests. They use this data to build reputation scores for IP addresses, devices, and browser fingerprints. If a fingerprint has been associated with malicious activity on another site, it can be proactively challenged or blocked on yours.
-
AI and Machine Learning: Advanced systems use machine learning models to continuously adapt to new bot techniques. These models can identify subtle, emerging patterns of automated behavior that would be impossible to detect with static rules.
Conclusion
Mitigating web scraping is an ongoing cat-and-mouse game. While basic techniques can provide a baseline level of protection, a robust, multi-layered strategy that includes advanced fingerprinting and behavioral analysis is necessary to defend against sophisticated, persistent threats.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.