That is, this event originated from a proxy IP address (proxy_ip) where the device information indicates that the event was scripted (bot_behavior) and there are many different accounts in use on the device the event was sent from (multiple_accounts_per_device). Also, the user's email address is from a domain commonly used to create one-off addresses (disposable_email).
Note: This feature is enabled for environments created after April 19, 2021. Please contact Castle support if you would like to enable this feature for environments created before this date.
List of signals
By looking at the interaction patterns on the device, Castle detects non-human, scripted behavior. This signal then indicates that a request was produced programmatically by a script or a program, rather than by human interaction.
Credential stuffing is an automated attack in which stolen account credentials, in particular e-mail addresses, are used to gain unauthorized access to user accounts. Credential stuffing attacks, unlike credential cracking, do not attempt to guess any passwords with brute force, but rather leverage a list of leaked credentials.
This signal triggers when an attacker is either repeating the same email pattern or submitting completely random emails. The email provider may still be legitimate and non-disposable, but the full email address indicates that it was auto-generated.
This signal learns what is typical behavior for a user account and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.
This signal learns what is typical behavior for a device and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.
This signal learns what is the typical rate of traffic coming from IP addresses and then detects anomalous bursts of requests. This is often correlated with automated attacks or abuse.
This is triggered by comparing the user's current location with their last known location and then detecting trips that are highly unlikely, or even impossible, given the time between the two events. This signal correlates with man-in-the-middle attacks, account takeovers, and offshore attacks.
The device, from which this event originated, has been used to log into multiple user accounts. This could indicate account abuse or promotion abuse.
Device data error
The data forwarded from the device to the server is empty. This is possibly due to an attacker attempting to bypass the client-side analysis, however, it could also be due to a misconfigured integration.
The data forwarded from the device to the server could not be interpreted, most likely due to a replay attack or request tampering.
There is evidence that the request is not coming from a genuine device but that the device parameters have been changed or are fabricated. This includes using a device emulator that mimics the entire client context of the device or simply changing the user agent string in the browser.
A headless browser is a browser that can be used without a graphical interface. It can be controlled programmatically to automate attacks like web scraping, fake account registrations, and credit card testing.
HTTP client libraries are used to send requests to an application with relatively little effort using a command line or a script. They are frequently used in less sophisticated but high-volume automated attacks and abuse.
A web crawler is an application that searches and indexes documents on the Internet. It should be considered abnormal if an authenticated user is claiming to be a web crawler.
This signal indicates that the email address was issued by a service that issues temporary inboxes that expire after a short time. Examples of such services are Mailinator, TempMail, and Guerrilla Mail.
An email address that does not conform to internet email standards, or which does not exist on the recipient's server. Examples include addresses without the @ sign, addresses that include certain special characters and/or spaces, or failed SMTP authentication attempts.
An IP address that was recently found in one of many publicly accessible abuse and spam databases.
An IP address belonging to a hosting provider, data center, or content delivery network can serve to provide anonymity, as well as be used to launch large-scale automated fraud campaigns.
Proxy servers are used to mask the true location of a device. This signal identifies requests coming from proxy servers both by running the IP address against lists of known proxy IPs and by identifying timezone and timing anomalies that indicate that the traffic was routed through a proxy server.
Tor anonymizes internet traffic and is frequently used by fraudsters to conceal their true location. A Tor IP is an IP address that matches an entry in Tor's official list of exit nodes.
Novel user attributes
This signal triggers when a user account was accessed from a new country. It only triggers once per user and country combination.
This signal triggers when a user account was accessed from a new device. It only triggers once per device and does not trigger for the user's first device.
This signal triggers when a user account was accessed from a new device type. It only triggers once per user and device type combination.
This signal triggers when a user account was accessed from a new Internet Service Provider. It only triggers once per user and ISP combination.
This signal triggers when a user account was accessed from a device using a new language setting. It only triggers once per user and language combination.
This signal triggers when a user account was accessed from a new Operating System. It only triggers once per user and OS combination.