86% of Australia's top websites can't detect bot attacks: Research

Automated credential stuffing attacks give the bad guys a great return on investment, according to security firm Kasada, but most organisations can't spot them.
Written by Stilgherrian , Contributor

New research shows that the vast majority of Australia's top 250 websites can't tell the difference between a human using a web browser and a bot running a script, leaving them vulnerable to so-called credential stuffing attacks.

Researchers from Australian cybersecurity firm Kasada selected the target websites based on their Alexa ranking. They focused on the industries most often targeted by bot attacks: Retail, property, wagering, finance, airlines, utilities, and health insurance.

The researchers then loaded the sites' login pages in three ways: A regular web browser; a script using curl or Node.js; and an automation tool, Selenium.

Around 86% of the tested websites failed to detect the difference, meaning that an attacker could also load the login page with a credential abuse tool, attempting to log in repeatedly using stolen usernames and passwords.

In addition, 90% of the websites failed to detect those automated logins.

Credential stuffing is the one kind of attack where it's easier for the bad guys to build a return on investment, encouraging them to spend money to evade detection, according to Kasada's lead field engineer, Nick Rieniets.

"Visibility of activity on that login page is where it all needs to start," Rieniets told ZDNet.

"Our observation is these credential abuse attacks, in many cases, have been going on for weeks before the organisations realise what's going on ... the attackers are doing a great job of evading detection."

In and of itself, a login request isn't malicious traffic, Rieniets explained, but a pattern of failing login attempts is, even if they don't all come from the same source. But how many failed attempts you allow before blocking the traffic depends on the context.

"It's difficult for consumer-facing sites to lock down logins, because the more you lock it down, the more support cases you end up creating," he said.

Kasada's researchers also found that out of 100 credential abuse bot attacks on their own customers, 90 percent came from within Australian ISP networks.

While 100 is a small sample size, the customers included traditional retailers and more modern e-commerce businesses, online gaming operators, and utilities, and therefore skewed to more high-value targets.

Kasada published its research findings and an action plan for organisations in the report Bots Down Under on Tuesday.

Recommendations for cybersecurity teams are to only allow regular web browsers to access the login page; enforce adherence to request flow patterns; take actions to alter the economics of attacking your site; and visualise the human versus bot activity against your login paths.

For organisations, it was recommended that they establish a regular cadence of reporting on these issues; make sure the necessary security controls are in place; and establish and test a data breach response plan.

These recommendations don't match some other priority lists for attack mitigations, such as the Australian Signals Directorate (ASD) Essential Eight. But Rieniets says his reference for establishing priorities is the data on notifiable data breaches published by the Office of the Australian Information Commissioner (OAIC).

"Credential abuse, which they call brute force attacks ... is actually the third most likely attack type that results in a data breach. For me, that's pretty significant," he said.

Credential stuffing is a reasonably new attack type, Rieniets said, at least in terms of the number of organisations having to deal with it for the first time. Chief information security officers (CISOs) both in Kasada's customer base and elsewhere are telling him that preventing them is a priority.

"If it's not the number one priority for most CISOs this year, it's certainly very high up," he said.

Security Coverage

The Windows 10 security guide: How to safeguard your business

How do you configure Windows 10 PCs to avoid common security problems? There's no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here's what to watch out for.

Microsoft discloses security breach that impacted some Outlook accounts

Incident took place after hackers compromised a Microsoft support agent's account.

Building a data pipeline to defend New York from cyber threats

Responsible for protecting a large, complex and federated network of city systems, NYC Cyber Command built its own, open-source data pipeline.

Windows 10 security: A guide for business leaders

Protecting Windows 10 PCs from common security problems requires ongoing vigilance and effort. This ebook explains what steps to take and what risks you should watch out for.

Editorial standards