Cybercriminals Target Financial APIs To Bypass Security Controls

The Cambridge, Mass.-based Akamai reported a dramatic shift by cybercriminals in 2019. Up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly to bypass security controls.

This was a key revelation in the “Akamai 2020 State of the Internet / Security: Financial Services – Hostile Takeover Attempts” report. According to the report’s findings, from December 2017 through November 2019, the cloud security solutions provider observed some 85.5 billion credential abuse attacks. Nearly 20%, or about 16.5 billion attacks, struck against hostnames clearly identified as API endpoints. Of these, a little more than 473 million attacked organizations in the financial services industry.

Akamai determined not all attacks were exclusively API focused. On Aug. 7, 2019, the Massachusetts firm recorded the single largest credential stuffing attack against a financial services firm in the company’s history, consisting of 55,141,782 malicious login attempts. This attack was a mix of API targeting, and other methodologies. In a separate incident, on Aug. 25, the criminals targeted APIs directly, in a run that consisted of more than 19 million credential abuse attacks.

“Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” Steve Ragan, Akamai security researcher and principal author of the state of the internet security report, said. “Criminals targeting the financial services industry pay close attention to the defenses used by these organizations, and adjust their attack patterns accordingly.”

Indicative of this fluid attack dynamic, the report showed criminals continue to seek to expose data through a number of methods, to gain a stronger foothold on the server and ultimately achieve success in their attempts.

• SQL injection: Accounted for more than 72% of all attacks when looking at all verticals during the 24-month period observed by the report; 36% when looking at financial services attacks alone.
• Local file inclusion: The top attack type against the financial services sector with 47% of observed traffic. LFI attacks exploit various scripts running on servers, and as a consequence, can force sensitive information disclosure. LFI attacks also can come into play for client-side command execution (such as a vulnerable JavaScript file), which could lead to cross-site scripting and denial of service attacks.
• Cross-site scripting: The third-most common type of attack against financial services, with a recorded 50.7 million attacks, or 7.7% of the observed attack traffic.

The report also showed criminals continue to leverage distributed denial of service attacks as a core component of their attack arsenal, mainly as it relates to targeting financial services organizations.

Akamai’s observations from Nov. 2017 through Oct. 2019 revealed the financial services industry ranked third in attack volume, with gaming and high tech being the most common targets. However, more than 40% of the unique distributed denial of service targets were in the financial services industry, which makes this sector the top target when considering unique victims, according to Akamai.

“Security teams need to constantly consider policies, procedures, workflows and business needs – all while fighting off attackers that are often well organized and well-funded,” Ragan concluded. “Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”