REA Group's moves to stop content scraping and credential stuffing with new tech

REA Group is an global digital real estate marketing company that runs realestate.com.au, one of Australia's largest real estate listings website, with recorded 4.4 million unique browsers a month.

For Craig Templeton, CISO & GM Group Technology Platforms at REA, dealing with content scrapers, service interruptions, or credential stuffing caused by bad bots at unconventional hours of the night, proved to be an inefficient way of conducting successful business.

REA had huge problems with bots; platform engineers at the group were constantly, and around the clock, dealing with mitigating security incidents and attempting to avoid service disruptions.

Bots flood the bandwidth of websites, rendering them slower or unavailable to legitimate users. After detailed analysis, the engineers at REA observed that their platform was being aggressively targeted by a fake Google bot coming from Germany. It had to be blocked. Craig explains: 

"I went ok, come back to me on that… and after a week they said: can’t you just make it go away? It became evident to us that the walls weren’t the answer to this." 

Perpetrators, including competitors, use DoS attacks to disrupt a website or even take it down. They can dynamically use multiple sources, which make it impossible to stop an attack by blocking a single IP address.

And, for REA group it doesn’t end there, they also discovered that there is a huge number of businesses feeding off their data. "Bot automation in itself is not always bad, but we prefer it to be on our terms," said Craig. "Overall, I would prefer to expose that data in a managed way rather than having someone indiscreetly managing it," he added.

The REA real estate platform has login portals making it vulnerable to credential stuffing. Craig calls this ‘the attack du jour’.

He adds:

"It got to the point that when you are worried about something that is highly automated and dynamic, rules-based security just collapses, and therefore you need to fight automation with automation."

Read more here

Join us February 26-27 for the Property Portal Watch Conference Bangkok 2020.