The vast majority of Australian businesses are unable to tell the difference between robots and customers on their websites, according to new research.
Experts are warning Australian SMEs are vulnerable to costly bot-net attacks as advances in artificial intelligence make way for more sophisticated cyber crime.
An investigation into internet robots in Australia published by cyber security firm Kasada this week found 86% of the 250 most popular websites in Australia are unable to distinguish robot from human when tested using common tools.
A further 90% failed to prevent an automated tool from submitting credentials to their login portals, showing “there was no security control on the backend system”.
Kasada chief executive Sam Crowther says the stakes are high, with the costs of bot attacks estimated at $2 million per breach.
“Massive lack of awareness”
“There’s massive lack of awareness of the problem,” Crowther tells SmartCompany.
“Purely because it’s difficult to see in many cases, these bots are actually interacting with websites in the same way legitimate customers would.”
Crowther says high-profile data breaches where hackers have been able to access personal and login information in the past are fueling the activity.
“They’ll take the usernames and passwords and then test them on websites, playing the numbers that enough people will use the same details on multiple websites,” he says.
Data put together by data breach notification website Have I been Pwned estimates there are more than 7.8 billion cases of compromised login credentials worldwide.
Making things more confusing, Kasada found 90% of bot attacks are sent via Australian internet service provider (ISP) networks, which can make it harder for businesses to differentiate the traffic from their usual customers.
Bot attacks on the rise
Andrew Bycroft, chief executive of the International Cyber Resilience Institute says botnet attacks have been on the rise lately.
“The cost of renting a botnet has come down, it used to be $1,000 an hour, now it’s under $100,” he tells SmartCompany.
“You can use them to send out spam, malware, ransomware, you can use them for denial of service (DDOS) attacks.”
Bycroft says the research findings “aren’t surprising” given technological advances in recent years.
“We’re focusing more on artificial intelligence, we’re trying to make computers behave more like humans, so it’s sort of inevitable we’ve hit this point,” he says.
While businesses have traditionally employed captcha systems on their login credential pages to weed out bots, Crowther says this has become much less effective.
“Machines can now solve them better than we can,” he says.
“A lot of the attacker tools we see have pre-built plugins for that, whenever there’s a captcha they bypass it.”
What can you do?
So what can businesses do? Bycroft says focusing on essential systems is imperative.
“A lot of security teams have a broad focus, you’re better off focusing heavily on what’s critical to the business,” he says.
“The first thing to look at is patterns of activity, if you’re getting unusual volumes of traffic at unusual times then it’s likely a bot.”
Crowther advises businesses to invest in monitoring traffic, an area he says has been a “blind spot” for businesses in the past.
“Track the number of login attempts and failed logins through your customer portal over time,” he says.
You can read the full report here.