Posted On: Feb 14, 2022

AWS WAF announces the launch of AWS WAF Fraud Control - Account Takeover Prevention to protect your application’s login page against credential stuffing attacks, brute force attempts, and other anomalous login activities. Account Takeover Prevention enables you to proactively stop account takeover attempts at the network edge. With Account Takeover Prevention, you can prevent unauthorized access that may lead to fraudulent activities, or you can inform affected users so that they can take preventive action.

Account Takeover Prevention is offered through AWS Managed Rules. Once added to your AWS WAF web ACL, it compares usernames and passwords submitted to your application to credentials that have been compromised elsewhere on the web. It also monitors for anomalous login attempts coming from bad actors by correlating requests seen over time to detect and mitigate attacks like irregular login patterns, brute force attempts, and credential stuffing. Account Takeover Prevention is scoped down by default to act on your login page only. With optional JavaScript and iOS/Android SDK integrations, you can receive additional telemetry on devices that attempt to log in to your application to better protect your application against automated login attempts by bots. Account Takeover Prevention can also be used in conjunction with AWS WAF Bot Control and AWS Managed Rules to create a comprehensive defense layer against bots targeting your application.

To get started, simply navigate to the AWS WAF console and create a new web ACL, or select an existing web ACL. Follow the wizard to choose an AWS resource to protect. Choose Account Takeover Prevention from the list of managed rule groups. Enter the URL of your application’s login page and indicate where the username and password form fields are located within the body of HTTP requests to log in.

AWS WAF Fraud Control - Account Takeover Prevention is available today in the US East (N. Virginia), US West (Oregon), Europe (Ireland), Europe (London), Asia Pacific (Singapore) AWS Regions. Visit the AWS WAF pricing page for information about Account Takeover Prevention fees. To learn more, please see the AWS WAF developer guide. To learn more about AWS WAF, please see the AWS WAF web site.