I'm running a marketplace and we've been experiencing various forms of credit card fraud. The fraudsters are trying to evade detection by constantly changing their IP addresses after each attempt. Luckily, we've implemented a Web Application Firewall (WAF) and the JA4 fingerprinting helps us identify fraudulent transaction attempts when we notice multiple attempts from the same JA4 device ID, even if the IP addresses are different.
Currently, we have a manual process to handle this, but I'm wondering if there's a way to automate blocking users who switch between multiple IPs using the same JA4 ID within a specific time frame. We want to be cautious not to block real users who might be on dynamic IPs or switching networks. Typically, these fraud attempts happen with them changing IPs every 5 minutes across a span of 1 to 2 hours.
It would be incredible if we could set up AWS WAF to automatically block a JA4 ID if it detects more than a certain number of IPs linked to that ID within a defined time period!
2 Answers
Be cautious about blocking based solely on JA4 fingerprints. They aren’t strictly unique to individual devices, so attackers and legitimate users might have the same fingerprint. It's a good idea to combine other methods along with JA4 for better accuracy.
As far as I know, AWS WAF doesn't have a built-in rule for that specific scenario. It might be best to track the JA4 IDs and associated IP addresses, then run a query to check for activity over a time window and handle the blocking in your app's middleware instead.
That's what I was thinking too, but I wanted to ask first to see if AWS already offered this feature to save us some time.
What would be a better way to pinpoint individual devices? I thought JA4 fingerprinting could already do that. I've seen some services offer device fingerprinting; is that different from JA4?