Cybercriminals continue to firehose financial services companies with new and innovative cyberattacks. Research from Akamai recently found that up to 75 percent of all credential abuse attacks against the financial services industry in 2019 targeted APIs directly (rather than user-facing login pages). One such credential stuffing attack, observed last summer, hit one of Akamaiâs financial services customers with a blizzard of 55 million malicious login attempts.
âWe talk about API attacks and the reason why criminals are using targeted methods against API because the traditional âthrow it and hope it sticksâ against financial services just isnât cutting it anymore, they have to be more creative,â Steve Ragan, security researcher with Akamai, told Threatpost. âAnd of course this creates this ârun and gunâ type of situation to where the financial services industry has to keep adding more layers and getting more creative with how theyâre doing defense because the criminals are obviously coming at them full steam ahead.â
Threatpost talks to Ragan about the hardest hitting attack threats against the financial services industry, including credential stuffing attacks, DDoS attacks and more.
A lightly edited transcript is below.
Lindsey OâDonnell-Welch: Hi, everyone, this is Lindsey OâDonnell-Welch with Threatpost and Iâm here at RSA Conference in San Francisco, joined by Steve Ragan with Akamai. Steve, thanks so much for joining us.
Steve Ragan: Thanks for having me.
**LO:**Howâs your conference going, so far?
SR: So far, itâs going good. had a lot of productive meetings this week. Itâs been a very long week. And itâs only Wednesday.
LO: Right yeah. Yeah, so I wanted to talk a little bit about, Akamai recently published a research paper last Wednesday. And it was discussing some really interesting takeaways about the state of internet security and how that impacts financial services. And there were some really good points in the research about kind of DDoS attacks and how that impacts financial services as well as credential stuffing and APIs. So just to start, can you talk about some of the biggest takeaways that you had in terms of what the research was about.
**SR:**So the big one of the biggest takeaways I got from the report when I was researching it, is the fact that, the last time we wrote about financial services, I had mentioned that the criminals were steadily targeting them, and they werenât slowing down anytime soon. As this report was being put together, not only did that get proven true, it actually got bigger. So shortly after we put out the last financial services report, we actually saw a record setting attack for us, one of the largest against FinServ that weâd seen since we started tracking this, upwards of like 55 million credential stuffing attempts. And then as we started sorting and sifting through the data, we noticed that, like you had mentioned, DDoS, when it comes to unique DDoS targets, 40 percent of those were in the financial services sector, which is significant. We saw a bump in targeted API attacks for credential stuffing against the FinServ sector and then also local file inclusion jumped up ahead of SQL injection when it comes to the type of web attacks weâre seeing against financial services. So there are a couple of things that stood out in this report. But the the big key takeaway is that criminals are still actively engaged and targeting financial services.
LO: Right. And I want to kind of delve into those separate types of attacks and attack vectors in a second. But maybe we should take a step back and look at financial services as a whole and kind of what the main security issues are with the industry. Can you kind of give an outline of financial services and where they are and where the industry is at this point about these attacks.
SR: So itâs, itâs really interesting Financial Services is usually the industry thatâs always at the top of their game when it comes to security, which forces the criminals to get creative in their attacks, they have to be hyper focused. So part of this report, we talk about API attacks and the reason why criminals are using targeted methods against API because the traditional âthrow it and hope it sticksâ against financial services just isnât cutting it anymore, they have to be more creative. And of course this creates like this this run and gun type of situation to where the financial services industry has to keep adding more layers and getting more creative with how theyâre doing defense because the criminals are obviously coming at them full steam ahead. You see a lot of the same problems in financial services as you do with any other market segment. So the old standbys are still there. Web attacks are always going to have SQL injection, youâre going to see that, youâre going to see DDoS as a distraction and as a way to cut vital services off from customers. Youâre going to see this no matter what industry youâre looking at. But when it comes to financial services, what weâve noticed is, criminals tend to take a hybrid approach in their attacks. So youâll see attacks that leverage SQL injection attempts versus a little bit of DDoS mixed in there. And then when you see DDoS, the way they launch these attacks, itâs a myriad of attempts. So youâll see SYN flooding, youâll see RTSP youâll see all of that mixed in, so it goes across the board.
LO: Well, thatâs what kind of stuck out to me about kind of the DDoS attacks that you guys were observing was just the variation in different methods that were being used. And so, what do you see, whatâs kind of the overall trends that youâre seeing with DDoS attacks in targeting the financial industry?
SR: Weâre seeing sustained attacks. So what I mean by this is, they get bigger and they last longer. So weâre seeing you know, FinServ companies and I say FinServ, but I mean financial services, right I get that jargon stuck in my head, it doesnât go anywhere. But weâre seeing these attacks stay longer, and they keep variations going so they donât stick to just one type of DDoS attack anymore. Theyâre layering them throughout. And they just keep going, until eventually they just fall off. Weâve noticed that if you look in the report, we look at the peaks of traffic. And sometimes when we see these, these records setting, and I say record setting, meaning just like it stands out in the report, but when you see these attacks, itâs FinServ thatâs getting hit, itâs getting hit the hardest in some ways.
LO: Yeah. And I mean, to your point about DDoS attacks that are targeting FinServ of getting getting bigger and bigger. I think thatâs a trend weâre seeing overall, too, with DDoS attacks, growing and getting more widespread.
SR: You donât hear about DDoS a lot. And thatâs one of the things weâre trying to correct because we want to we want people to realize DDoS attacks are very real, they happen and theyâre not going away anytime soon. So itâs itâs a thing that we want to keep that awareness out there, which is why we included it in this report because it needs to be talked about, because a lot of times youâll see DDoS used as a precursor or a backer to other types of attacks. So, you know, trying to focus on just one one vector or one aspect of your attack surface does you no good.
**LO:**Right. And I also wanted to ask about credential stuffing, that was another big part of the report and you know, that figure you mentioned earlier about, was it 55 million â
**SR:**55 million was the the attack shortly after we put out the last report. And it was all credential stuffing. And it was against a financial services company. So this, this particular attack, this was a 24 hour period, and it just stands out because this proves that, when it comes comes to how criminals are leveraging credential stuffing, theyâre laser focused. And so they really really really want to get as much as they can out of these combination lists that theyâre using, because they only have a short shelf life. So they wanted, they hit as much as they can for as long as they can. And then they swap out the list and keep going. And weâve seen that a lot over the last couple of years to where these lists. They use them everywhere.
LO: Yeah, I mean, well, when you look at also kind of the financial services industry, I think that you had mentioned that theyâre still using usernames and passwords. And I think that there needs to be a rethink of authentication.
SR: Oh, yeah, I agree. I really like that, you know, the financial services industry is getting more and more in tune with multi-factor authentication, and theyâre not just relying on usernames and passwords anymore, theyâre adding more to it, which is good for the public. Itâs good for them. I mean, it works all around, but unfortunately, not everybody does that. And thatâs why you see credential stuffing taking off because the criminals know that in some cases, all they needs a user name and password, right. And so they go from there. Itâs not just financial services where weâre seeing this. Weâre seeing this in other sectors as well, travel and hospitality, ttâs a thing weâre looking at. Gaming is another industry thatâs seeing a lot of credential abuse. So right, itâs moving around.
LO: Yeah, that seems like a big problem, just across the industry as a whole. But when you look ahead to 2020, between, you know, all the different types of threats that you were seeing in your report, do you think one is going to kind of stand out whether itâs kind of APIs being targeted?
SR: Weâre going to see more targeted APIâs, youâre going to see that go up, I think and I think weâre also going to see more focus on credential stuffing as the year goes on. I think credential abuse is because of its point and click nature and itâs low barrier of entry for criminals, everybodyâs jumping on it. Right now when do my research to look at what groups are doing and how theyâre doing it, credential stuffing is the top that theyâre going for. Because there are automated tools that literally, you load up your list you point at a domain, and you go. And itâs itâs very noisy. So they these types of attacks stand out on a network, which is why weâre able to track them like we do. But unfortunately, theyâre effective, which is why you see them so much.
LO: Right, unfortunately.
SR: Unfortunately, they are effective.
LO: Yeah. I also wanted to ask, before we wrap up, when you are looking at the financial services industry, what advice would you have in terms of best steps for protection or mitigation against these types of attacks?
**SR:**So the biggest complaint I see criminals talk about is multi factor authentication. So not only enabling that but enforcing it, would be one of the things I would encourage financial services or any industry really, you know, start using multi factor authentication, enforce it. Donât make it to where, oh, itâs there if you want to use it, teach your your user base, how to use this teach them, why itâs important. So education, and more options, I think, would be a good run of the mill. When it comes to API attacks, I would suggest keeping an eye on threading and keeping an eye on rate limiting. Donât let somebody make a half a million attempts against your API, track that stuff.
LO: Yeah.
SR: And unfortunately, visibility in the API space is not as large as it is in some of the other attack surfaces that companies experience. So that needs to be, you need more visibility.
LO: Well, good things to think about when weâre moving forward. So Steve, thank you so much for speaking with us and have a great rest of your show.
SR: Thanks.