The financial services sector was subject to 3.5 billion credential stuffing attacks over the past 18 months, as cybercrooks used previously breached log-in data to crack open user accounts.
The numbers come from Akamai’s 2019 State of the Internet / Security Financial Services Attack Economy Report, which found that 50% of all attacks from phishing domains were targeted at the financial sector.
The report indicates that between December 2018 and May 2019, nearly 200,000 phishing domains were discovered, of which 66% targeted consumers directly. When taking the phishing domains targeting consumers only into consideration, 50% of those targeted companies in the financial services industry.
"We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers," says Martin McKeay, security researcher at Akamai. "Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers."
Akamai’s findings additionally reveal that 94% of observed attacks against the financial services sector came from one of four well-documented methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period). OGNL Java Injection, made famous due to the Apache Struts vulnerability, continues to be used by attackers years after patches have been issued.
Criminals have also started launching DDoS attacks as a distraction to conduct credential stuffing attacks or to exploit a web-based vulnerability. Over the course of 18 months, Akamai uncovered more than 800 DDoS attacks against the financial services industry alone.
"Attackers are targeting financial services organisations at their weak points: the consumer, web applications and availability, because that’s what works," says McKeay. "Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail.”