• Life at Kasada
  • Book a call
Use cases
  • Account Takeover
  • API Protection
  • CAPTCHA Alternative
  • Content scraping
  • Checkout Fraud
  • Fake Account Creation
  • GenAI Abuse
Industries
  • Airlines
  • eCommerce & Retail
  • Energy & Utilities
  • Financial Services & FinTech
  • Media, Entertainment & Gaming
  • SaaS & Internet
  • Travel & Hospitality
Retooling:

How Attackers Bypass Traditional Bot Management

Learn more
Kasada Bot DefenseStop sophisticated bots, scrapers, and automated attacks before they impact your businessKasada Account IntelligenceDetect coordinated fraud and repeat abuse hiding across accounts, sessions, and devices.Kasada AI Agent TrustVerify AI agent and control what crawlers, bots, and agents can access.KasadaIQ for FraudSee warning signs before fraud occurs. Prevent bot attacks on your business logic and customer data. Know that Kasada is listening to millions of signals and safeguarding your business.
One platform. One detection engine. Four connected capabilities.
Life at Kasada
Resources
  • Blog
  • Case Studies
  • Reports
  • Events
  • Infographics
  • Videos
  • Data Sheets
Kasada Introduces Account Intelligence to Address a Gap in Fraud PreventionKasada Introduces Account Intelligence to Address a Gap in Fraud PreventionAI agent trust: What to allow, what to block, and what to prepare forAI agent trust: What to allow, what to block, and what to prepare for

Take the next step to stopping threats now.

Loading form...

Solutions
  • Account Takeover
  • API Protection
  • CAPTCHA Alternative
  • Checkout Fraud
  • Content Scraping
  • Fake Account Creation
Contact
  • Contact Us
  • Check My Site
  • Book a Call
  • Become a Partner
  • Support
Resources
  • Blog
  • Case Studies
  • Data Sheets & Reports
  • Events & Webinars
  • Infographics
  • Integration
  • Compliance
Company
  • Life at Kasada
  • Join Our Team
  • About Us
Blog

Why Digital Fingerprinting for Bot Mitigation Is Ineffective


The long-term efficacy of a bot mitigation solution depends on the integrity of the data being collected. What happens when bots manipulate the data?

KasadaIQApril 30, 2021
  • Digital Fingerprint Harvesting
  • Harvesting Other Data to Manipulate Automated Browsers
  • Advanced Harvesting Techniques Require New Approaches

Co-authored by Nick Rieniets, Kasada Field CTO

The long-term efficacy of a bot mitigation solution depends on the integrity of the data being collected. But what happens when the client (bot) manipulates the data?

A successful bot operation must master the art of blending into the crowd. Each session that the bot sends must simultaneously look different from the other sessions whilst appearing identical to human requests. Mastering the art of dynamic deception allows the bot operator to avoid being classified as a bot.

Digital Fingerprint Harvesting

Bot operators work in communities that share ideas. Some of these communities sell toolkits or even whole-stolen digital fingerprints. Digital fingerprints are copies of real user sessions and browser data, and they can be loaded into bot frameworks to almost exactly imitate a real user who is using a browser. This allows them to fool the data collection and classification process of bot mitigation vendors.

These datasets are obtained in a few different ways, but the primary method uses browser or device malware. An unsuspecting user would download and run a malicious file that would infect the users’ machine. When the user opens targeted sites, the insidious code would then begin silently collecting real cookies and other browser information, such as mouse clicks, before sending it home to a command server. Fraudsters then resell this data, usually on the dark web.

The predominantly Russian-based anti-detect browsers, such as MultiLogin and LikenSphere, allow users to import harvested fingerprints. These tools allow for “full stack request rotation” – meaning that each session can be sent with a different set of request headers with a matching digital fingerprint.

Digital fingerprint harvesting, as an adversarial technique, was developed to combat the early-stage bot mitigation solutions. This technique is highly effective against a bot mitigation solution that identifies bots based on fingerprint commonality. In the continuous game of cat vs. mouse, these techniques ultimately lead to the evolution of the next generation of vendors, such as Kasada.

Want to learn more?

  • AI Agents Just Broke The Funnel. Forrester's Recent Research Says Security And Marketing Have To Fix It Together

    AI Agents Just Broke The Funnel. Forrester's Recent Research Says Security And Marketing Have To Fix It Together

    The "block all bots" era is over. Read our breakdown of Forrester's latest research on why marketing and security must join forces to survive the new wave of AI agents.

    Read more
  • Top Threats We're Tracking in April

    Top Threats We're Tracking in April

    KasadaIQ analyst commentary on the threat environment

Harvesting Other Data to Manipulate Automated Browsers

Digital fingerprint harvesting isn’t the only approach bot operators use to fool ineffective bot mitigation vendors. The more common practice in these bot builder communities is to keep a record of which things a particular vendor is looking for in order to identify bots as automated activity.

A community-based approach like this is effective against most bot mitigation vendors, and it erodes the information asymmetry needed to win a defensive position. Popular open source projects, like Puppeteer Extra Stealth Plugin, focus on customising automated browsers to evade detection. To do this, they leverage the knowledge of specific client-side attributes that a particular vendor is collecting and analyzing. They modify Puppeteer so that the attributes almost exactly match what would be collected from a regular Chrome browser that is used by a real human.

This represents the next level of complexity for bot operators: the act of customising a browser, by either importing a digital fingerprint or removing the remnants of an automation toolkit.

Advanced Harvesting Techniques Require New Approaches

The bottom line is that bot operators are successfully evading bot mitigation solutions that rely on device fingerprinting. Bot mitigation vendors need to make it extremely difficult for attackers to understand what information is being collected, whether it is through not using device fingerprinting or other methods. This breaks the DevOps cycle of the bot builder, preventing them from understanding why their bot is being detected, frustrating them, and forcing them to give up.

To learn more about how Kasada extends beyond outdated device fingerprinting approaches and obscures the data it collects, read our blog about advanced obfuscation or schedule your free threat briefing.

Read more

Defeats threats,
not your customersDefeats threats,
not your customers

Start deploying today