Organizations in the financial services sector have repeatedly been impacted by attackers leveraging credential stuffing and unique phishing attempts, according to newly released data in Akamai’s 2019 State of the Internet/Security Financial Services Attack Economy Report.
The report found that 50% of all the companies impacted by observed phishing domains were in the financial services sector. The report reflects the analysis of 3.5 billion attempts during an 18-month period that have put the personal data and banking information of financial services customers at risk.
Researchers observed that, between December 2, 2018, and May 4, 2019, 197,524 phishing domains were discovered. Customers were directly targeted in 66% of those attacks. In addition, “94% of the attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period), based on Akamai’s calculations,” according to the report.
“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”
Criminals are using "bank drops," which researchers explained are packages of data that include a person’s stolen identity, that can be used to open accounts at a given financial institution. The packages are known as "fullz" by criminals online and include an individual’s name, address, date of birth, Social Security details, driver’s license information and credit score.
While financial institutions are trying to understand the methods criminals are using to open these drop accounts, attackers are gaining more success because they continue to target the financial services industry.
“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” said McKeay. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyses, and defend against an intelligent criminal who’s using multiple different types of tools for a business to protect its customers.”