In an interview with Akamai security researcher Steve Reagan, Threatpost writer Lindsey O’Donnel reports that currently “up to 75 percent of all credential abuse attacks against the financial services industry in 2019 targeted APIs directly (rather than user-facing login pages).” Regan pointed to a particular example of a credit stuffing attack which included 55 million malicious login attempts.
The analysis of the research reveals a map of how the cyber attacks are being laid out. Says Regan, “DDoS, when it comes to unique DDoS targets, 40 percent of those were in the financial services sector, which is significant. We saw a bump in targeted API attacks for credential stuffing against the FinServ sector and then also local file inclusion jumped up ahead of SQL injection when it comes to the type of web attacks we’re seeing against financial services.”
As attacks become more creative, they are also becoming more refined: security is now so layered and nuanced that a scattershot approach is ineffective; attackers are learning to finesse and hybridize their tactics in response. Regan explains further, “... you’ll see attacks that leverage SQL injection attempts versus a little bit of DDoS mixed in there. And then when you see DDoS, the way they launch these attacks, it’s a myriad of attempts. So you’ll see SYN flooding, you’ll see RTSP, you’ll see all of that mixed in, so it goes across the board.”
Akamai has been seeing elaborately designed attacks on financial services, with attackers using a big-picture approach. These attacks contain variations and layers, to keep up with increasingly complex layers of security. Regan drives home his point about DDoS attacks, warning that “we want people to realize DDoS attacks are very real, they happen and they’re not going away anytime soon.”
The research from Akamai has revealed these attacks in sectors beyond financial services: travel, hospitality, and the gaming industry have all been targeted. Because the attacks are highly visible on the networks and because the credit stuffing tactic has a shelf life, criminals use a high-volume/maximum speed approach.
In his final thoughts for the interview, Regan advises that multi-factor Authentication is the best way to hinder criminal attacks. He explains further, “When it comes to API attacks, I would suggest keeping an eye on threading and keeping an eye on rate-limiting.” In thwarting these attacks, visibility is key.