Introduction

As Halloween approaches, the idea of costumes and disguises takes center stage, but the spirit of deception isn’t limited to one night. In the digital world, cyberattacks can also wear masks, concealing their true intentions to slip past defenses. Just as a costume can obscure who’s behind the mask, certain attacks can disguise themselves as other types of threats. These deceptive tactics pose unique risks, especially in security environments where an attack in disguise can divert attention and resources, leaving a network vulnerable. As we explore the concept of attacks masquerading as other attacks, we’ll uncover how these hidden threats evade detection and why identifying their true form is essential for comprehensive cybersecurity.

Common Hidden Threats

Some attacks use a mask of sorts to blend in with other threats, making them difficult to detect and manage. By imitating high-traffic patterns or mimicking human behavior, these attacks exploit assumptions and slip past standard defenses. Two common examples include account takeover (ATO) attempts disguised as DDoS attacks and bots camouflaged as legitimate user traffic. Each tactic relies on appearances to mislead security teams, causing critical delays in response and creating openings for further exploitation. 

Account Takeover (ATO) Masquerading as DDoS

At first glance, a surge of login attempts might seem like a Distributed Denial of Service (DDoS) attack—a flood of traffic designed to overwhelm systems. However, beneath the surface, attackers may be using brute force or credential stuffing tactics in a strategic account takeover (ATO) attempt. By mimicking the high-volume activity typical of a DDoS, these attackers disguise their efforts to break into user accounts under the cover of traffic noise. Unlike traditional DDoS, which aims to disrupt service, an ATO attack seeks access to user accounts for data theft or fraud. On average, we see about 900 ATO attacks masquerading as DDoS on a daily basis. 

This disguise can also be accidental. High-volume ATO attacks, especially those conducted by sophisticated tools that can send many requests, can sometimes unintentionally function as a DDoS attack if the site is unable to process the requests as they’re coming in. 

Distinguishing between DDoS and ATO attacks can be challenging, as both exhibit abnormal traffic patterns, but subtle differences—like failed login attempts or traffic directed solely at login endpoints—can hint at an ATO in disguise. Knowing the difference between the attacks can lead to better and more accurate mitigation. For example, if you identify ATO as DDoS you might start sending CAPTCHA challenges to site visitors. Not only can this mitigation technique impact all visitors indiscriminately, it can also prove to be ineffective against ATO tools that support CAPTCHA solving. It’s important to have capable cyber defenses that can detect the difference, and use the most effective mitigation no matter how the attack started.  

Bot Attacks Disguised as Legitimate User Traffic

Sophisticated bots have evolved to look and act like real users, often bypassing standard bot management systems and Web Application Firewalls (WAFs) by blending in with regular traffic. As Imperva’s Bad Bot Report explains, these advanced bots mimic human behavior—like mouse movements, page scrolling, and clicks—to slip under the radar, posing as legitimate visitors. These evasive bots also use more complex tactics like cycling through random IPs, entering via anonymous proxies, using residential proxies, and defeating CAPTCHA challenges in order to appear more human. They use a “low and slow” approach to avoid detection and carry out significant attacks using fewer requests, reducing the “noise” generated by many bad bot campaigns. This makes them particularly difficult to identify, as traditional detection methods often rely on differentiating between bot and human traffic. The challenge lies in spotting these masked bots within normal user patterns, where they can conduct fraudulent activities or collect data while going largely undetected.

So far this year, 32% of bot traffic comes from advanced bots. This traffic overwhelmingly targets the Retail and Travel industries, collectively accounting for 50% of advanced bot traffic. The travel industry is incredibly targeted by bad bots, as threat actors have learned that actions like seat spinning or price scraping can be highly profitable. The retail industry faces similar attacks from advanced bots, as threat actors leverage them to execute high-value actions like inventory hoarding, price scraping, and competitive data gathering. While many bot defenses are prepared to deal with bot scraping and other attacks, it’s much harder to detect and mitigate bots that are acting like humans. 

Why Attackers Use Disguises

One strategy attackers use to evade detection is creating “noise” through high-traffic, attention-grabbing attacks like DDoS, which can overwhelm monitoring systems and divert security focus. By flooding a network with a barrage of traffic, attackers mask more targeted and insidious activities, such as data exfiltration or account compromise attempts, under the guise of a large-scale DDoS assault. While security teams scramble to contain what appears to be a direct attack on availability, the true intent operates beneath the surface, allowing attackers to maintain a foothold within the network without raising suspicion. 

Disguised attacks can be highly effective at pulling resources in the wrong direction, leading security teams to prioritize the apparent threat while the real objective goes unaddressed. When a network is hit with what seems like a large-scale DDoS attack, for example, IT and security personnel may rush to allocate bandwidth, deploy anti-DDoS measures, and monitor traffic volume, all while a stealthier attack, such as data theft or ransomware setup, proceeds in the background. This resource diversion not only drains time and energy but also opens doors for secondary attacks, as distracted teams may miss other warning signs or potential vulnerabilities elsewhere in the system.

Some attacks are designed to stay hidden for as long as possible, quietly gathering data under the cover of seemingly benign activity. By blending in with regular traffic patterns or imitating low-level bot activity, attackers can evade anomaly detection tools and collect valuable data over an extended period. These “low and slow” attacks operate below the radar, avoiding triggers that might activate alarms or draw attention. One attack in particular lasted over two weeks, collectively trying over 11 million distinct logins over this period, while trying to remain undetected. Whether they’re harvesting login credentials, gathering business intelligence, or slowly probing for vulnerabilities, these long-term data collection efforts rely on their disguises to remain undetected until the attacker is ready to act or sell the information on.

Conclusion

Maintaining vigilance against cyberattacks that may be disguised as something else is essential for organizations navigating today’s complex digital landscape. As cyber threats continue to evolve in sophistication, it’s important to adopt a comprehensive strategy that combines DDoS protection, advanced bot management, and behavior analytics for comprehensive coverage. By integrating multiple layers of security, organizations can create a formidable defense against a wide array of potential threats, ensuring they are equipped to handle attacks that may not present themselves in traditional ways.

As we embrace this ongoing challenge, let us remember that just as Halloween costumes come off at midnight to reveal what lies beneath, it’s important to ensure your defenses are equally adept at stripping away the disguises of attacks. By revealing the true intent behind these threats, you can better protect your digital assets and maintain the trust of your customers in an increasingly perilous online environment. Happy Halloween!