86% of Australia's top websites can't detect bot attacks: Research

86% of Australia's top websites can't detect bot attacks: Research 1

New research shows that the vast majority of Australia’s top 250 websites can’t tell the difference between a human using a web browser and a bot running a script, leaving them vulnerable to so-called credential stuffing attacks.

Researchers from Australian cybersecurity firm Kasada selected the target websites based on their Alexa ranking. They focused on the industries most often targeted by bot attacks: Retail, property, wagering, finance, airlines, utilities, and health insurance.

The researchers then loaded the sites’ login pages in three ways: A regular web browser; a script using curl or Node.js; and an automation tool, Selenium.

Around 86% of the tested websites failed to detect the difference, meaning that an attacker could also load the login page with a credential abuse tool, attempting to log in repeatedly using stolen usernames and passwords.

In addition, 90% of the websites failed to detect those automated logins.

Credential stuffing is the one kind of attack where it’s easier for the bad guys to build a return on investment, encouraging them to spend money to evade detection, according to Kasada’s lead field engineer, Nick Rieniets.

“Visibility of activity on that login page is where it all needs to start,” Rieniets told ZDNet.

“Our observation is these credential abuse attacks, in many cases, have been going on for weeks before the organisations realise what’s going on … the attackers are doing a great job of evading detection.”

In and of itself, a login request isn’t malicious traffic, Rieniets explained, but a pattern of failing login attempts is, even if they don’t all come from the same source. But how many failed attempts you allow before blocking the traffic depends on the context.

“It’s difficult for consumer-facing sites to lock down logins, because the more you lock it down, the more support cases you end up creating,” he said.

Kasada’s researchers also found that out of 100 credential abuse bot attacks on their own customers, 90 percent came from within Australian ISP networks.

While 100 is a small sample size, the customers included traditional retailers and more modern e-commerce businesses, online gaming operators, and utilities, and therefore skewed to more high-value targets.

Kasada published its research findings and an action plan for organisations in the report Bits Down Under on Tuesday.

Recommendations for cybersecurity teams are to only allow regular web browsers to access the login page; enforce adherence to request flow patterns; take actions to alter the economics of attacking your site; and visualise the human versus bot activity against your login paths.

For organisations, it was recommended that they establish a regular cadence of reporting on these issues; make sure the necessary security controls are in place; and establish and test a data breach response plan.

These recommendations don’t match some other priority lists for attack mitigations, such as the Australian Signals Directorate (ASD) Essential Eight. But Rieniets says his reference for establishing priorities is the data on notifiable data breaches published by the Office of the Australian Information Commissioner (OAIC).

“Credential abuse, which they call brute force attacks … is actually the third most likely attack type that results in a data breach. For me, that’s pretty significant,” he said.

Credential stuffing is a reasonably new attack type, Rieniets said, at least in terms of the number of organisations having to deal with it for the first time. Chief information security officers (CISOs) both in Kasada’s customer base and elsewhere are telling him that preventing them is a priority.

“If it’s not the number one priority for most CISOs this year, it’s certainly very high up,” he said.

Security Coverage

The Windows 10 security guide: How to safeguard your business

How do you configure Windows 10 PCs to avoid common security problems? There’s no software magic bullet, unfortunately, and the tools are different for small businesses and enterprises. Here’s what to watch out for.

Microsoft discloses security breach that impacted some Outlook accounts

Incident took place after hackers compromised a Microsoft support agent’s account.

Building a data pipeline to defend New York from cyber threats

Responsible for protecting a large, complex and federated network of city systems, NYC Cyber Command built its own, open-source data pipeline.

Windows 10 security: A guide for business leaders

Protecting Windows 10 PCs from common security problems requires ongoing vigilance and effort. This ebook explains what steps to take and what risks you should watch out for.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022
Bots Circumvent 2FA Login At Coinbase And Other Crypto Exchanges In 2022
Bots Have Circumvented 2FA Logins At Coinbase And Other Crypto Exchanges In 2022
February 17, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin29,787 0.98 % 1.28 % 2.34 %
Ethereum1,981.4 1.28 % 0.27 % 5.43 %
Tether1.001 0.07 % 0.06 % 0.01 %
BNB330.58 1.14 % 0.93 % 7.84 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
XRP0.4079 0.77 % 0.31 % 7.11 %
Binance USD0.9993 0.06 % 0.29 % 0.22 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana48.90 1.80 % 2.19 % 14.84 %
Polkadot9.960 2.46 % 0.36 % 9.92 %

Bitcoin (BTC) $ 29,962.00
Ethereum (ETH) $ 1,987.22
Tether (USDT) $ 1.00
BNB (BNB) $ 332.13
USD Coin (USDC) $ 1.00
XRP (XRP) $ 0.409321
Binance USD (BUSD) $ 0.998458
Cardano (ADA) $ 0.521357
Solana (SOL) $ 49.29
Polkadot (DOT) $ 10.03