#1254731: 86% of Australia's top websites can't detect bot attacks: Research
New research shows that the vast majority of Australia's top 250 websites can't tell the difference between a human using a web browser and a bot running a script, leaving them vulnerable to so-called credential stuffing attacks.
Researchers from Australian cybersecurity firm Kasada selected the target websites based on their Alexa ranking. They focused on the industries most often targeted by bot attacks: Retail, property, wagering, finance, airlines, utilities, and health insurance.
The researchers then loaded the sites' login pages in three ways: A regular web browser; a script using curl or Node.js; and an automation tool, Selenium.
Around 86% of the tested websites failed to detect the difference, meaning that an attacker could also load the login page with a credential abuse tool, attempting to log in repeatedly using stolen usernames and passwords.
In addition, 90% of the websites failed to detect those automated logins.
Credential stuffing is the one kind of attack where it's easier for the bad guys to build a return on investment, encouraging them to spend money to evade detection, according to Kasada's lead field engineer, Nick Rieniets.
"Visibility of activity on that login page is where it all needs to start," Rieniets told ZDNet.
"Our observation is these credential abuse attacks, in many cases, have been going on for weeks before the organisations realise what's going on ... the attackers are doing a great job of evading detection."
In and of itself, a login request isn't malicious traffic, Rieniets explained, but a pattern of failing login attempts is, even if they don't all come from the same source. But how many failed attempts you allow before blocking the traffic depends on the context.
"It's difficult for consumer-facing sites to lock down logins, because the more you lock it down, the more support cases you end up creating," he said.
Kasada's researchers also found that out of 100 credential abuse bot attacks on their own customers, 90 percent came from within Australian ISP networks.
While 100 is a small sample size, the customers included traditional retailers and more modern e-commerce businesses, online gaming operators, and utilities, and therefore skewed to more high-value targets.
Kasada published its research findings and an action plan for organisations in the report Bits Down Under on Tuesday.
Recommendations for cybersecurity teams are to only allow regular web browsers to access the login page; enforce adherence to request flow patterns; take actions to alter the economics of attacking your site; and visualise the human versus bot activity against your login paths.
For organisations, it was recommended that they establish a regular cadence of reporting on these issues; make sure the necessary security controls are in place; and establish and test a data breach response plan.
These recommendations don't match some other priority lists for attack mitigations, such as the Australian Signals Directorate (ASD) Essential Eight. But Rieniets says his reference for establishing priorities is the data on notifiable data breaches published by the Office of the Australian Information Commissioner (OAIC).
"Credential abuse, which they call brute force attacks ... is actually the third most likely attack type that results in a data breach. For me, that's pretty significant," he said.
Credential stuffing is a reasonably new attack type, Rieniets said, at least in terms of the number of organisations having to deal with it for the first time. Chief information security officers (CISOs) both in Kasada's customer base and elsewhere are telling him that preventing them is a priority.
"If it's not the number one priority for most CISOs this year, it's certainly very high up," he said.
|Date added||April 16, 2019, 5:01 a.m.|