Phishing and credential stuffing remain top threats
As we have seen in another report today, the financial sector remains a prime target for cybercriminals. Phishing attacks and credential stuffing are the two most common forms of attack used against the industry according to another report from Akamai.
In the six months between December 2018 and May 2019, nearly 200,000 phishing domains were discovered by the research and 50 percent of all unique organizations impacted are from the financial services sector.
In addition the report reveals 3.5 billion attempts at credential stuffing during an 18-month period, putting the personal data and banking information of financial services customers at risk.
"We've seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers," says Martin McKeay, security researcher at Akamai. "Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We're seeing a whole economy developing to target financial services organizations and their consumers."
The report also looks at how cybercriminals use stolen data. One technique centers on 'bank drops' -- packages of data that can be used to fraudulently open accounts at a given financial institution. Bank drops will typically include a person's stolen identity -- often called 'fullz' by criminals online, including name, address, date of birth, social security details, driver's license information, and credit score. Secure access to the fraudulent accounts comes via remote desktop servers, which are matched to the geographic location of the bank and the 'fullz'.
Criminals have also started launching DDoS attacks as a distraction to conduct credential stuffing attacks or to exploit a web-based vulnerability. Over the course of 18 months, Akamai has uncovered more than 800 DDoS attacks against the financial services industry alone.
"Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works," says McKeay. "Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyze, and defend against an intelligent criminal who’' using multiple different types of tools for a business to protect its customers. For more than twenty years, Akamai has been leveraging its unique visibility into the full spectrum of attacks to help protect customers from these types of ever- evolving nefarious activities."
The full report is available from the Akamai site.