Cybercrime Reports: The Costs & Effects on Financial Institutions

"We’re seeing a whole economy developing to target financial services organizations and their consumers.”

Cybercrime report results. (Source: Shutterstock)

Every minute, organizations lose $2.9 million to cybercrime and there are 3.5 billion malicious login attempts targeting the financial services sector. Those are the findings of two separate reports focused on the impact of cyberattacks.

Cambridge, Mass.-based content delivery network and cloud security solutions provider Akamai’s “2019 State of the Internet/Security Financial Services Attack Economy Report” found that 50% of all unique organizations affected by cybercrime observed phishing domains were from the financial services sector. The data shows that, in addition to unique phishing attempts, adversaries also leveraged credential stuffing attacks to the tune of 3.5 billion attempts during an 18-month period, putting the personal data and banking information of financial services customers at risk.

The report discovered 197,524 phishing domains between December 2, 2018 and May 4, 2019; of those domains, 66% targeted consumers directly. When considering only phishing domains targeting consumers, 50% targeted companies in the financial services industry.

“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” Martin McKeay, security researcher at Akamai and editorial director of the report, said. “Criminals supplement existing stolen credential data through phishing, and then one way they make money by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”

Once criminals have succeeded in their schemes, they need to process their ill-gotten data and funds. As Akamai’s report highlights, one method of dealing with these centers on “bank drops”– packages of data used to fraudulently open accounts at a financial institution. Bank drops typically include a person’s stolen identity, often called “fullz” by criminals online, including name, address, birth dates, Social Security details, driver’s license information and credit score. Secure access to the fraudulent accounts comes via remote desktop servers, matched to the geographic location of the bank and the fullz.

Akamai’s findings revealed that 94% of observed attacks against the financial services sector came from one of four methods: SQL Injection, local file inclusion, cross-site scripting and object-graph navigation language Java injection (which accounted for more than 8 million attempts during this reporting period). Attackers use OGNL Java Injection, made famous due to the Apache Struts vulnerability, years after patches have been issued.

Over the course of 18 months, Akamai uncovered more than 800 DDoS attacks — which criminals use as a distraction to conduct credential stuffing attacks or to exploit a web-based vulnerability — against the financial services industry alone.

“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” McKeay said. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyze, and defend against an intelligent criminal who is using multiple different types of tools for a business to protect its customers.”

By targeting financial institutions, criminals attempt to steal sensitive data, and then use that information to open fake accounts and credit lines. Akamai maintained, “There is a deep level of irony in the fact that criminals are targeting the very industry they need to survive. While financial institutions are becoming better at detecting these attacks, adversaries continue to find success with old tricks, and that is a problem.”

San Francisco based RiskIQ, an attack surface management provider, in its annual “Evil Internet Minute” tapped proprietary global intelligence and third-party research to analyze the volume of malicious activity on the internet. The research revealed top companies pay $25 per minute due to security breaches and cybercriminals cost the global economy $1.5 trillion.

“As the scale of the internet continues to proliferate, so does the threat landscape,” Lou Manousos, CEO of RiskIQ, said. “By compiling the vast numbers associated with cybercrime in the past year, we made the research more accessible by framing it in the context of an ‘internet minute.’ We are entering our third year defining the sheer scale of attacks that take place across the internet using the latest third-party research and our own global threat intelligence so that businesses can better understand what they’re up against on the open web.”

RiskIQ learned tactics range from malvertising to phishing to supply chain attacks that target e-commerce, like the Magecart hacks, which increased by 20% in the last year. Magecart gangs, incurred the blame for causing at least 319,000 cyberincidents in 2018, including many digital card-skimming attacks, and the British Airways, Newegg and Ticketmaster breaches. More recently Magecart also claimed bedding retailers MyPillow and Amerisleep, and the Atlanta Hawks basketball team as victims. The motives of cybercriminals include monetary gain, large-scale reputational damage, political motivations, and espionage.

“Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies,” Manousos said. “With the recent explosion of web and browser-based threats, organizations should look to what can happen in a matter of minutes and evaluate their current security strategy. Businesses must realize that they are vulnerable beyond the firewall, all the way across the open internet.”

Additional cost-per-minute activity:

Recommended Stories