Report: Attacks on Financial Services Targeting APIs

A report published by Akamai Technologies suggests cybercriminals targeting the financial services sector are starting to focus more of their attacks on application programming interfaces (APIs).

From December 2017 through November 2019, Akamai observed 85,422,079,109 credential abuse attacks across its customer base, according to the report. Nearly 20%, or 16,557,875,875, of those attacks were against hostnames that were clearly identified as API endpoints. Of those attacks, 473,518,955 attacked organizations in the financial services industry and began escalating sharply last May. One attack consisted of more than 19 million credential abuse attacks aimed directly at APIs last August.

The largest credential-stuffing attack against a financial services firm that Akamai has ever seen occurred the same month. A total of 55,141,782 unsuccessful malicious login attempts were made using a mix of methodologies that included API targeting.

Overall, Akamai estimates 75% or more of the total login attacks against financial services are aimed at APIs.

Steve Ragan, an Akamai security researcher, said cybercriminals are focusing more on APIs because most financial services firms have the resources in place to thwart less sophisticated attacks that have been widely employed by cybercriminals for many years now. For example, the top attack type against the financial services sector (47%) was Local File Inclusion (LFI), while SQL Injection (SQLi) accounted for only 37% of attacks in the sector. Across all industries, however, SQLi accounts for 72% of all attacks, the Akamai report noted.

The third most common attack type is cross-site scripting (XSS), which was employed in 50.7 million attacks (8%) of observed attack traffic.

Finally, the report noted 40% of all the unique distributed denial of service (DDoS) targets observed were in the financial services industry.

Ragan said cybercriminals, much like any bank robber, are heavily focused on the financial services sector because that’s where the money is. Most cybercriminals, however, will not change their methodologies until the ones they have been employing no longer work, he noted. That tendency reflects both the simple fact that cybercriminals are not inclined to work any harder than they have to and the fact that they don’t want whatever vector they plan to exploit to be discovered before they have a chance to employ it, he said.

It’s still too easy for cybercriminals to compromise IT environments, he added. In fact, cybercriminals today have access to a level of support from various providers of toolkits that is on par with anything provided by a provider of a commercial application. Most organizations would be able to thwart most attacks if they simply implemented multi-factor authentication, Ragan noted. Of course, every organization is also trying to strike a balance between accessibility and security, which he said is why two-factor authentication is not as widely implemented as most cybersecurity teams would like.

In the meantime, there may come a day when organizations embrace best DevSecOps practices to better secure their application environments. Until that day arrives, however, cybersecurity teams should expect to see a much wider array of more sophisticated attacks coming their way, as attack vectors being employed against financial services firms are applied elsewhere.

Michael Vizard

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 593 posts and counting.See all posts by mike-vizard