By Kevin Gosschalk, CEO and Cofounder, Arkose Labs

Hackers are employing a new type of attack that has quickly become the scourge of network cybersecurity systems, getting around even advanced detection tools by using techniques that allow them to impersonate authentic individual web requests. The attacks, in effect, hide in plain sight by posing as everyday users, opening the door to a wide array of fraud and abuse.

Called Single Request Attacks, they are increasingly being used in the most advanced automated attacks conducted at scales, such as account takeover (aka credential stuffing), creation of fake users, spam, use of stolen account cards and denial of inventory. They’re also becoming common tools for hackers that cheat online marketplaces, generate fake accounts, and scrape valuable content from websites.

Single Request Attacks, despite their name, don’t occur in a single instance but are delivered through an organized network of automation as part of a flood of malicious requests. While they may appear to be a single request from one legitimate user, they are actually part of a large-scale coordinated campaign.

The attacks employ a sophisticated protocol of tactics designed to convince a receiving network that the requests are coming from human users with authentic intent. Typically, the attacks are carried out using a headless browser—which uses command line rather than a graphical user interface—that can execute Javascript in just the way you’d expect from a legitimate user. They also use a dynamic fingerprint so the device origination can’t be identified, and similarly adapt their network fingerprint to prevent identification of the IP address.

By taking this approach, they avoid the tell-tale signs of an attack that most fraud prevention and bot mitigation platforms look for, and thus can get waved into the network. They also get by defensive artificial intelligence and dynamic rule-based systems, which study observable patterns in order to identify anomalous behavior, because Single Request Attacks each appear to be unique instances.

As an example, Hong Kong Express Airways (HKE), a low-cost Asian carrier, released its online ticketing platform and quickly began noticing a sharp increase in tickets reserved, but not purchased. This effectively made the available ticket inventory invisible to genuine customers looking for low-cost airfares. Despite increased reservations, the number of booking transactions decreased significantly with a noticeable impact on the carrier’s revenue. HK Express later discovered that the attacks were particularly sophisticated in that the reservations appeared to originate from unique users thanks to a multitude of client-side data disguises. Masqueraded as genuine customers, hackers used bots to overwhelm the online ticketing platform with seemingly legitimate reservations. Each bot in the attack was capable of generating and repeating a large number of reservation requests and was programmed to occupy as much of the airline’s ticket inventory as possible.

The most effective way to defend against Single Request Attacks is to meet them face to face by independently challenging suspicious requests that would otherwise not meet traditional risk thresholds. In addition, this approach neutralizes hackers and eliminates their ability to adjust attack techniques on the fly.

The Arkose Labs Platform leverages adaptive step-up to shine a light on hackers, stopping them at the gate, while allowing genuine customers to pass. For authentic users, the process is seamless with no added friction to the customer experience. Meanwhile, it eliminates the economic incentive that hackers have by slashing the possible return on investment to such a point that their attack isn’t worth the effort–or financial cost.

Single Request Attacks are the number one invisible security threat today because they undermine the long-term effectiveness of incumbent cybersecurity defenses. Single Request Attacks facilitate a dangerous blind spot in decisions because they allow nefarious behavior to go unnoticed by enabling hackers to operate invisibly. Enterprises must prepare for this latent threat by implementing a continuously-validated approach that challenges suspicious requests without impacting the customer experience.

About the Author

Kevin Gosschalk is the CEO and Cofounder of Arkose Labs, where he leads a team of people focused on telling computers and humans apart on the Internet. Before Arkose Labs, Kevin worked on gaming hardware for the intellectually disabled at the Endeavour Foundation and built a unique device incorporating Microsoft’s Kinnect Camera technology. Noted for his involvement in interactive development and machine vision, Kevin then turned his expertise to automated abuse and human verification — often regarded as the Internet’s impossible problem. Today, Arkose Labs has transformed the irritating chore of comprehension into an SLA-guaranteed technology that prevents automated abuse for brands like Electronic Arts, Singapore Airlines, and Roblox. Kevin can be reached online at and at our company website