Akamai researchers saw a 257% year over year increase in API and Web application attacks and are reporting that roughly 80 percent of cyberattacks are directed at financial services customers. They found the attacks in the Asia-Pacific and Japan region grew by 449% and primarily resulted in ransomware.
Key findings:
- Within 24 hrs. of discovery, new zero days against financial services reach multiple thousands of attacks per hour and peak quickly – affording little time to patch and react.
- DDoS attacks against financial services are up 22 percent year over year.
- A significant increase in Local File Inclusion (LFI) and Cross Site Scripting (XSS) attacks show attackers are shifting toward RCE attempts.
- Phishing campaigns against financial services customers use methods to bypass 2FA.
- User account takeover attempts represent over 40 percent of attack types with another 40 percent focusing on website scraping, to create more convincing phishing scams.
It’s not surprising that the financial services sector represents the vast majority of cyberattacks. Many financial institutions are still in the midst of their digital transformations and deploying their initial generation of API-first architected applications. As a result, API deployment and usage have expanded the attack surface of these institutions and made them a prime target for bad actors.Because every exposed API is unique in function and business logic, they provide many avenues of opportunity for attackers. Attackers look for APIs with vulnerabilities, such as broken or flawed business logic, to exfiltrate data, take over systems or accounts, or conduct application level denial of service campaigns. This type of leverage, whether in the form of personal data or account control, creates the foundation for many of the for-ransom schemes that have been playing out in recent months. Many of these schemes have not just targeted the organizations that have built and exposed these APIs with ransom demands, but have also targeted individual consumers that have been compromised as well, as in the case of the recent Optus API security incident. Attackers are now betting on ransom demands being paid by consumers themselves, especially if the information or account being withheld is of value.Because most organizations, including many prominent financial institutions, rely on more traditional security methods and do not have adequate behavior based API runtime protection, attackers realize they have the freedom to conduct long reconnaissance, attack and abuse campaigns against exposed APIs while staying under the radar. Finding a single leaky API endpoint can pay big dividends to a would-be attacker.
During the holiday season the volume of transactions and interactions between businesses, consumers, and financial institutions will be at a yearly high. If early indications are a predictor, this could be one of the busiest in history. Cybercriminals know this. Tactics will include more savvy scams that can be easy to fall prey to, especially in all the noise. Everyone should have a heightened awareness to prevent becoming a victim.
Things consumers can do:
These statistics also show the need to give more attention to the mobile apps which are increasingly being used by consumers to access financial services.
Unless specific protections are in place, apps can be inspected, cloned and copied – hackers can use stolen secrets to execute ATO, DDoS and other attacks. There are effective ways to protect mobile apps from abuse and stop these kinds of attacks getting near the backend systems and these must be considered as well as traditional back-end security.