Cyber criminals launched 3.5 billion malicious login attempts in just 18 months - Akamai

Half of all phishing attacks are targeting the financial sector, warns Akamai

Cyber crooks launched around 3.5 billion credential stuffing attempts during the 18-month period from November 2017 to April 2019 - with the financial sector targeted in particular.

That's according to the latest edition of the State of the Internet/Security report [PDF] released by content delivery giant Akamai, which focused on The Financial Services Attack Economy. In it, it claims that half of all organisations targeted by observed phishing domains were in the financial services sector.

According to Akamai, 94 per cent of the attacks against financial institutions were performed using just four techniques:

The attackers also resorted to DDoS attacks in 800 attempts to target financial services, either to exploit a web-based flaw or as a distraction to carry out credential stuffing attacks.

Notably, OGNL Java injection, which came to light due to the Apache Struts vulnerability, is still being used by cyber criminals - several years after the patches to address the flaw were issued.

Between 2nd December 2019 and 4th May 2019, Akamai identified 197,524 phishing domains, of which, 66 per cent directly targeted consumers.

"Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create," said Martin McKeay, editor of the State of the Internet Report's security edition.

"We're seeing a whole economy developing to target financial services organisations and their consumers," McKeay added.

According to McKeay, attackers are hitting financial firms at their weaker points: the web applications and consumers, and the approach seem to be working for them.

After attackers succeed in stealing user data, they create packages of information, called "bank drops", which include an individual's name, date of birth, address, driving license number, credit score, and social security number. All these details are then used to fraudulently open an account at a bank.

The techniques used by criminals to open those drop accounts are continuously investigated by financial institutions in efforts to stay ahead of the curve. However, they also need to realise that criminals sometimes recycle old techniques to carry out attacks on financial organisations.

Akamai's The Financial Services Attack Economy report has come within days after Capital One admitting that the personal information of 106 million Americans and Canadians was exposed in a data breach that occurred in March and April this year.

According to Capital One, names, emails, date of births, phone numbers, addresses, and self-reported incomes of customers who applied for a credit card from the company in past 14 years were illegally accessed by hackers.

This week, the security researchers at Positive Technologies also came up with results of their latest study, which suggests that hackers can bypass the £30 spending limit on Visa contactless cards by leveraging a series of security flaws.

Back in 2014, security researchers at Newcastle University had demonstrated a proof of concept exploit that would enable thieves to steal £1 million from stolen contactless payment cards.