A method of detecting deceptive web activity is implemented in an intermediary located between a requesting client device, and a server that hosts a web application. Following a bootstrap phase used to generate a database of information identifying characteristics of clients, the method begins by receiving a page directed to the client from the server. The server injects an invisible DOM element having a set of style properties associated therewith, with one of the set of style properties assigned a random value, to generate a modified page, which is returned to the client. As the client interacts with the modified page, the intermediary tracks the device's styles and uses them to identify the client from information in the database. Once the device is identified, the intermediary then detects whether a spoofing attack has occurred. By leveraging the tracked styles, a spoofing attack on the DOM element's styles may also be detected.