Financial services firms suffer over three billion credential stuffing attacks in 2020

New research from Akamai Technologies reveals that financial services firms suffered 3.4 billion credential stuffing attacks in 2020, a 45 percent year-on-year increase.

The report also observed nearly 6.3 billion web application attacks in 2020, with more than 736 million targeting financial services -- an increase of 62 percent from 2019. Over the past three years (2018-2020), DDoS attacks against the financial services sector grew by 93 percent.

"The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry," says Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. "Criminals use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal. By targeting banking customers and employees in the sector, criminals increase their pool of potential victims exponentially."

For this report, Akamai partnered with threat intelligence company WMC Global, experts at understanding SMS phishing (smishing) and the toolkits that criminals devise to make their attacks possible. The collaboration examined two specific phishing kits: 'Kr3pto' and 'Ex-Robotos'.

The Kr3pto phishing kit, which targets financial institutions and their customers via SMS, has been observed spoofing 11 brands in the UK, across more than 8,000 domains since May 2020. WMC Global tracked more than 4,000 campaigns linked to Kr3pto targeting victims via SMS messaging over 31 days in Q1 of 2021.

Ex-Robotos is a phishing kit that sets a benchmark when it comes to corporate credential phishing. According to data from the Akamai Intelligent Edge Platform, there were more than 220,000 hits to the API IP address used for Ex-Robotos over a span for 43 days. Traffic to that address reached a peak of tens of thousands of hits per day on average between January 31 and February 5, 2021.

"Kits like Kr3pto and Ex-Robotos are just two of the many kits targeting corporations and consumers today," says Jake Sloane, senior threat hunter at WMC Global. "It's important to remember that employees are consumers too, and with the prevalence of work from home, as well as mobile device usage in corporate environments, criminals are not shy about attacking people no matter where they are, which explains the recent growth in SMS-based phishing attacks."

The full report is available on the Akamai site.

Image credit: frank_peters / Shutterstock