REA Group fights content scraping attacks and credential stuffing with automation

‘You need to fight automation with automation’, Craig Templeton, CISO & GM Group Technology Platforms at REA

REA Group make up a global online real estate advertising company headquartered in Melbourne, Australia. A News Corp company, the group runs realestate.com.au, Australia’s biggest real estate listings website with 4.4 million unique browsers each month.

For Craig Templeton, CISO & GM Group Technology Platforms at REA, dealing with content scrapers, service interruptions, or credential stuffing caused by bad bots at unconventional hours of the night, proved to be an inefficient way of conducting successful business.

The pain

REA had huge problems with bots; platform engineers at the group were constantly, and around the clock, dealing with mitigating security incidents and attempting to avoid service disruptions.

Bots flood the bandwidth of websites, rendering them slower or unavailable to legitimate users. After detailed analysis, the engineers at REA observed that their platform was being aggressively targeted by a fake Google bot coming from Germany. It had to be blocked. Craig explains: ‘I went ok, come back to me on that… and after a week they said: can’t you just make it go away? It became evident to us that the walls weren’t the answer to this’. Perpetrators, including competitors, use DoS attacks to disrupt a website or even take it down. They can dynamically use multiple sources, which make it impossible to stop an attack by blocking a single IP address.

And, for REA group it doesn’t end there, they also discovered that there is a huge number of businesses feeding off their data. ‘Bot automation in itself is not always bad, but we prefer it to be on our terms’, said Craig. ‘Overall, I would prefer to expose that data in a managed way rather than having someone indiscreetly managing it’, he added.

The REA real estate platform has login portals making it vulnerable to credential stuffing. Craig calls this ‘the attack du jour’.

He adds: ‘It got to the point that when you are worried about something that is highly automated and dynamic, rules-based security just collapses, and therefore you need to fight automation with automation’.

Costs are another important aspect to take into account. Craig and his team rely heavily on cloud computing infrstructure which comes with high management and optimisation costs. Businesses suffer from a wide attack surface that inevitably results in loss of money if not addressed and mitigated. Threats at hand can be very simple point click bots to sophisticated ones pretending to be Google bots coming from an Amazon IP range. It became clear over time that these issues must be solved. Craig and his team set out to evaluate the best tools available to seriously and systematically fight the war against bots. After a thorough research of the products available on the market, the Kasada solution emerged as the obvious choice.

The solution: Maximum protection from malicious web traffic

Kasada is an innovative enterprise cybersecurity company operating globally with offices in Australia, the US, and the UK. The company has been leading the fight against bots, since 2015, with leading edge approaches and cloud-based technology.

Kasada detects and mitigates malicious traffic that other security measures fail to identify, while also protecting websites, mobile apps, and APIs from credential stuffing, fraud, account takeover, and scraping attacks. The platform also reduces bot-related network bandwidth and infrastructure costs.

To sustain the value added for businesses that the platform brings, Pascal Podvin, Chief Revenue Officer at Kasada confirmed that most organisations can’t spot automated credential stuffing or scraping attacks. ‘Research from Kasada shows that 86% of audited organisations within top websites can’t tell the difference between a human using a web browser and a bot running a script, leaving them highly vulnerable to credential stuffing and content scraping attacks’, he added. Moreover, industries such as retail, finance, and travel, are the most targeted by bot attacks.

The gain: Customer experience to rule them all

The REA Group puts high value on user experience. The team is determined to provide quality browsing journeys for their customers.

The REA team were up and running on the Kasada platform in no time. Implementation and ease of use are just some of the benefits Kasada customers enjoy from day one. ‘We really appreciate the speed of deployment; you can be up and running in literally minutes’, Craig said in amazement, ‘they have actually nailed the onboarding process, and once you start seeing those bots being blocked in real time, wanting to turn it off becomes really hard – they have nailed the customer acquisition fierce’.

For all businesses, quality user experience is imperative. It can have direct affects on conversions, customer retention, and overall business goals.

Customers today demand for tightened security measures and a seamless buying process to build trust. Businesses are now realising that a strong and secure technology infrastructure is the best way to gain that trust. Craig concludes: ‘user experience is everything these days, whenever people are designing products they want as little friction as possible, they want seamless experience, and security falls into this transparent layer. This is why we felt that Kasada offered us that blend of good automated control of seamless user experience that doesn’t get into the way’.

Learn more about how Kasada Polyform can help you fight malicious automation: www.kasada.io

This interview was first published in the Fraud Prevention and Online Authentication Report 2019/2020. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Kasada

Kasada detects and mitigates the risk of malicious automation, for large and medium size organisations of all industries, worldwide. Kasada is the first of a new generation to use dynamic cyber-resilient technology to detect automation from the very first page load request, with unprecedented accuracy and speed - even for the most sophisticated bots.