By Mohammad Ismail, VP of EMEA, Cequence Security
Up to half a million dollars is estimated to have been lost during the recent attack on Australian superannuation funds along with personally identifiable information (PII) that could see customers subjected to further identity fraud. The credential stuffing attack saw usernames and passwords used to bombard accounts leading to widespread panic as customers sought to login to their accounts to see if they had been compromised.
However, it soon became clear the impact of the attack was not nearly as devastating as it could have been thanks largely to the efforts of the funds. The financial losses were traced to just four customers at AustralianSuper out of its potential customer base of 3.4m members. Similarly, the Rest superannuation fund said its incident response protocols limited the impact of the attack to less than 1% of its members, according to press reports. The funds had been able to protect the mainstay of their investors but the attack resulted in painful lesson – even a heavily regulated sector within the financial industry can still fall prey to automated attacks.
Credential stuffing attacks are increasingly becoming more sophisticated, more frequent and harder to detect using simply traditional tools. Unlike manual hacks, these campaigns are driven by automation so are able to overwhelm defences in seconds, with attackers deploying large bot networks to simulate the activity of legitimate users. They reuse stolen credentials from previous breaches and exploit vulnerabilities in the Application Programming Interfaces (APIs) that facilitate the exchange of data between the application and the back office systems to gain access. Even multi-factor authentication (MFA), often touted as the best way to thwart such attacks, can be bypassed by these bots as they are able to harvest and replay session tokens to overcome such measures.
Countering such attacks using security tooling such as Web Application Firewalls (WAFs) and API gateways to protect APIs is unrealistic because such solutions are IP-based and so look for specific signatures rather than telltale behaviours. Attackers are able to mask IP addresses using proxy servers or often resort to rapidly switching IP addresses to overwhelm these tools. In contrast, solutions that use behavioural fingerprinting are able to generate a unique fingerprint for the attack and track it so that when the attacker does pivot and change tactics they can still be monitored.
Realising the gravity of the situation when it became clear existing tooling was insufficient to stop the attack, some funds decided to deploy bot management software as the attack continued to unfold. Dedicated bot mitigation solutions continuously monitor application traffic at scale, rather than relying on static rules, making it possible to create a view of what legitimate user behaviour looks like. Anything that then deviates from that can be flagged and blocked, stopping the bot attack before it causes harm.
Adopting this approach enabled the funds to immediately detect malicious patterns, automatically adapt defences using AI and machine learning and neutralise the bots in real time, all without any detrimental effect on service delivery or the need to change code. Furthermore, the attackers were completely unaware they’d been blocked, which bought valuable time that could be used to analyse the nature of the attack and bolster defences.
The attack has undoubtedly been a wakeup call to an industry that has seen at firsthand that traditional tools can fall short in the face of such advanced bot attacks. It’s no longer enough to block traffic based on IP addresses or apply static rules because the dexterity and persistence of these bot attacks will simply find workarounds. What is needed is real-time, adaptive defences that understand context and behaviour, especially in high-risk sectors like superannuation.
