Cybercriminals continue to firehose financial services companies with new and innovative cyberattacks. Research from Akamai recently found that up to 75 percent of all credential abuse attacks against the financial services industry in 2019 targeted APIs directly (rather than user-facing login pages). One such credential stuffing attack, observed last summer, hit one of Akamai’s financial services customers with a blizzard of 55 million malicious login attempts.
“We talk about API attacks and the reason why criminals are using targeted methods against API because the traditional ‘throw it and hope it sticks’ against financial services just isn’t cutting it anymore, they have to be more creative,” Steve Ragan, security researcher with Akamai, told Threatpost. “And of course this creates this ‘run and gun’ type of situation to where the financial services industry has to keep adding more layers and getting more creative with how they’re doing defense because the criminals are obviously coming at them full steam ahead.”
Threatpost talks to Ragan about the hardest hitting attack threats against the financial services industry, including credential stuffing attacks, DDoS attacks and more.
A lightly edited transcript is below.
Lindsey O’Donnell-Welch: Hi, everyone, this is Lindsey O’Donnell-Welch with Threatpost and I’m here at RSA Conference in San Francisco, joined by Steve Ragan with Akamai. Steve, thanks so much for joining us.
Steve Ragan: Thanks for having me.
LO: How’s your conference going, so far?
SR: So far, it’s going good. had a lot of productive meetings this week. It’s been a very long week. And it’s only Wednesday.
LO: Right yeah. Yeah, so I wanted to talk a little bit about, Akamai recently published a research paper last Wednesday. And it was discussing some really interesting takeaways about the state of internet security and how that impacts financial services. And there were some really good points in the research about kind of DDoS attacks and how that impacts financial services as well as credential stuffing and APIs. So just to start, can you talk about some of the biggest takeaways that you had in terms of what the research was about.
SR: So the big one of the biggest takeaways I got from the report when I was researching it, is the fact that, the last time we wrote about financial services, I had mentioned that the criminals were steadily targeting them, and they weren’t slowing down anytime soon. As this report was being put together, not only did that get proven true, it actually got bigger. So shortly after we put out the last financial services report, we actually saw a record setting attack for us, one of the largest against FinServ that we’d seen since we started tracking this, upwards of like 55 million credential stuffing attempts. And then as we started sorting and sifting through the data, we noticed that, like you had mentioned, DDoS, when it comes to unique DDoS targets, 40 percent of those were in the financial services sector, which is significant. We saw a bump in targeted API attacks for credential stuffing against the FinServ sector and then also local file inclusion jumped up ahead of SQL injection when it comes to the type of web attacks we’re seeing against financial services. So there are a couple of things that stood out in this report. But the the big key takeaway is that criminals are still actively engaged and targeting financial services.
LO: Right. And I want to kind of delve into those separate types of attacks and attack vectors in a second. But maybe we should take a step back and look at financial services as a whole and kind of what the main security issues are with the industry. Can you kind of give an outline of financial services and where they are and where the industry is at this point about these attacks.
SR: So it’s, it’s really interesting Financial Services is usually the industry that’s always at the top of their game when it comes to security, which forces the criminals to get creative in their attacks, they have to be hyper focused. So part of this report, we talk about API attacks and the reason why criminals are using targeted methods against API because the traditional “throw it and hope it sticks” against financial services just isn’t cutting it anymore, they have to be more creative. And of course this creates like this this run and gun type of situation to where the financial services industry has to keep adding more layers and getting more creative with how they’re doing defense because the criminals are obviously coming at them full steam ahead. You see a lot of the same problems in financial services as you do with any other market segment. So the old standbys are still there. Web attacks are always going to have SQL injection, you’re going to see that, you’re going to see DDoS as a distraction and as a way to cut vital services off from customers. You’re going to see this no matter what industry you’re looking at. But when it comes to financial services, what we’ve noticed is, criminals tend to take a hybrid approach in their attacks. So you’ll see attacks that leverage SQL injection attempts versus a little bit of DDoS mixed in there. And then when you see DDoS, the way they launch these attacks, it’s a myriad of attempts. So you’ll see SYN flooding, you’ll see RTSP you’ll see all of that mixed in, so it goes across the board.
LO: Well, that’s what kind of stuck out to me about kind of the DDoS attacks that you guys were observing was just the variation in different methods that were being used. And so, what do you see, what’s kind of the overall trends that you’re seeing with DDoS attacks in targeting the financial industry?
SR: We’re seeing sustained attacks. So what I mean by this is, they get bigger and they last longer. So we’re seeing you know, FinServ companies and I say FinServ, but I mean financial services, right I get that jargon stuck in my head, it doesn’t go anywhere. But we’re seeing these attacks stay longer, and they keep variations going so they don’t stick to just one type of DDoS attack anymore. They’re layering them throughout. And they just keep going, until eventually they just fall off. We’ve noticed that if you look in the report, we look at the peaks of traffic. And sometimes when we see these, these records setting, and I say record setting, meaning just like it stands out in the report, but when you see these attacks, it’s FinServ that’s getting hit, it’s getting hit the hardest in some ways.
LO: Yeah. And I mean, to your point about DDoS attacks that are targeting FinServ of getting getting bigger and bigger. I think that’s a trend we’re seeing overall, too, with DDoS attacks, growing and getting more widespread.
SR: You don’t hear about DDoS a lot. And that’s one of the things we’re trying to correct because we want to we want people to realize DDoS attacks are very real, they happen and they’re not going away anytime soon. So it’s it’s a thing that we want to keep that awareness out there, which is why we included it in this report because it needs to be talked about, because a lot of times you’ll see DDoS used as a precursor or a backer to other types of attacks. So, you know, trying to focus on just one one vector or one aspect of your attack surface does you no good.
LO: Right. And I also wanted to ask about credential stuffing, that was another big part of the report and you know, that figure you mentioned earlier about, was it 55 million –
SR: 55 million was the the attack shortly after we put out the last report. And it was all credential stuffing. And it was against a financial services company. So this, this particular attack, this was a 24 hour period, and it just stands out because this proves that, when it comes comes to how criminals are leveraging credential stuffing, they’re laser focused. And so they really really really want to get as much as they can out of these combination lists that they’re using, because they only have a short shelf life. So they wanted, they hit as much as they can for as long as they can. And then they swap out the list and keep going. And we’ve seen that a lot over the last couple of years to where these lists. They use them everywhere.
LO: Yeah, I mean, well, when you look at also kind of the financial services industry, I think that you had mentioned that they’re still using usernames and passwords. And I think that there needs to be a rethink of authentication.
SR: Oh, yeah, I agree. I really like that, you know, the financial services industry is getting more and more in tune with multi-factor authentication, and they’re not just relying on usernames and passwords anymore, they’re adding more to it, which is good for the public. It’s good for them. I mean, it works all around, but unfortunately, not everybody does that. And that’s why you see credential stuffing taking off because the criminals know that in some cases, all they needs a user name and password, right. And so they go from there. It’s not just financial services where we’re seeing this. We’re seeing this in other sectors as well, travel and hospitality, tt’s a thing we’re looking at. Gaming is another industry that’s seeing a lot of credential abuse. So right, it’s moving around.
LO: Yeah, that seems like a big problem, just across the industry as a whole. But when you look ahead to 2020, between, you know, all the different types of threats that you were seeing in your report, do you think one is going to kind of stand out whether it’s kind of APIs being targeted?
SR: We’re going to see more targeted API’s, you’re going to see that go up, I think and I think we’re also going to see more focus on credential stuffing as the year goes on. I think credential abuse is because of its point and click nature and it’s low barrier of entry for criminals, everybody’s jumping on it. Right now when do my research to look at what groups are doing and how they’re doing it, credential stuffing is the top that they’re going for. Because there are automated tools that literally, you load up your list you point at a domain, and you go. And it’s it’s very noisy. So they these types of attacks stand out on a network, which is why we’re able to track them like we do. But unfortunately, they’re effective, which is why you see them so much.
LO: Right, unfortunately.
SR: Unfortunately, they are effective.
LO: Yeah. I also wanted to ask, before we wrap up, when you are looking at the financial services industry, what advice would you have in terms of best steps for protection or mitigation against these types of attacks?
SR: So the biggest complaint I see criminals talk about is multi factor authentication. So not only enabling that but enforcing it, would be one of the things I would encourage financial services or any industry really, you know, start using multi factor authentication, enforce it. Don’t make it to where, oh, it’s there if you want to use it, teach your your user base, how to use this teach them, why it’s important. So education, and more options, I think, would be a good run of the mill. When it comes to API attacks, I would suggest keeping an eye on threading and keeping an eye on rate limiting. Don’t let somebody make a half a million attempts against your API, track that stuff.
LO: Yeah.
SR: And unfortunately, visibility in the API space is not as large as it is in some of the other attack surfaces that companies experience. So that needs to be, you need more visibility.
LO: Well, good things to think about when we’re moving forward. So Steve, thank you so much for speaking with us and have a great rest of your show.
SR: Thanks.