On August 7, 2019, a single credential stuffing attack against a financial services company recorded 55,141,782 malicious login attempts. To put that in perspective, it is more than twice the daily average (22,682,022) of credential abuse attacks detected by Akamai Technologies across all companies in all sectors between December 1, 2017, and November 30, 2019 (a total of 85.42 billion attempts).
The figures come from Akamai’s customer telemetry and are included within the firm’s latest State of the Internet Report (PDF). In absolute terms, the figures will be well short of everything happening on the internet globally, but in relative and comparative terms they will accurately reflect the different types of attacks occurring over the last two years.
The report focuses on the financial services sector, which is the single most attacked sector — likely because, notes the report, “data from the financial services industry is worth a considerable amount to criminals, who use it for outright financial theft, money laundering, and identity fraud.”
Nearly 20% (16.55 billion credential abuses) were targeted against API endpoints. 473.5 million of these attacked organizations in the finserv sector. The majority of API attacks against finserv was negligible for much of the two years covered by the analysis, but suddenly spiked to more than 80% of all malicious login attempts in May 2019, and to more than 75% in October 2019. The cause, suggests Akamai, is likely to be a flood of credential lists in the criminal marketplace, the attractiveness of financial data, and a more general shift in criminal credential abuse towards targeting API logins.
“Criminals are still buying, selling, and trading bank cards, financial credentials, compromised gift card balances, and online banking accounts at a rapid clip,” comments Akamai, “because demand for such things remains high. Some compromised assets are being exchanged for cash, while others are being exchanged for more product in a direct swap between criminals.”
But criminals aren’t limiting their attacks to fraudulent login attempts. “Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes,” comments Steve Ragan, principal author of the report. “Criminals targeting the financial services industry pay close attention to the defenses used by these organizations, and adjust their attack patterns accordingly.”
Web application attacks have been growing across all sectors. In the same two-year period, Akamai detected 7.96 billion attacks across all sectors, with 662.57 million attacks against finserv. SQL injection (SQLi) attacks account for 72% of all attacks, but only 36% of the finserv attacks. The most common attack against finserv, at 47%, was Local File Inclusion (LFI).
LFI attacks normally exploit scripts running on servers, most usually PHP, but also in ASP, JSP and other web technologies. A successful LFI attack could lead to the disclosure of sensitive information, but it could also be leveraged for client-side command execution leading to cross-site scripting (XSS) and denial-of-service (DoS) attacks. LFI attacks seek to gain a foothold on the target server that could lead to full server compromise.
XSS was the third most common web application attack at 3.3% or all attacks — but 7.7% of the finserv attacks (50.7 million). Fourth was PHP injection (PHPi) with just less than 16 million attempts.
Akamai believes that a zero-trust approach to security could address all these attacks. “The concept has been around since 2010,” it says, “and it’s been known by a number of names, such as microsegmentation, nano-segmentation, and BeyondCorp. But it’s best known as Zero Trust.” It involves transitioning from ‘trust but verify’ to ‘trust nothing, and trust no one’. Simplistically, it involves creating a new perimeter around every single device, requiring authentication of any inbound traffic whether it is coming from an adjacent device on the network or an IP on the other side of the world.
Zero trust is not a thing or product that can be bought and installed — it is a concept that needs to be built into the infrastructure. It is neither easy nor simple nor quick. The starting point, however, is solid identity and access control.
Akamai’s analysis of weekly logins over the last two years show growth from under 4 million to more than 11 million. Within this, SSO and social logins have remained steady, with almost all the growth in traditional logins. Traditional logins (username and password) still account for the majority of access methods at 74%. “These are the foundations on which Zero Trust is built,” suggests Akamai.
“Security teams need to constantly consider policies, procedures, workflows, and business needs — all while fighting off attackers that are often well organized and well-funded,” said Ragan. “Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”
Related: Credential Stuffing: a Successful and Growing Attack Methodology
Related: How Do I Identify My Application Attack Surface?
Related: NIST’s Zero Trust Taxonomy Adds Components, Threats and Migration Routes
Related: The (Re-)Emergence of Zero Trust