Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai

Security biz clocked 55 million malicious login attempts on a client

Bank vault

Financial services firms' public APIs are becoming the target du jour for internet ne'er-do-wells, reckons Akamai, which also said that one of its customers was firehosed with 55 million malicious login attempts last summer.

The web services 'n' security biz said, in a report released today, that three-quarters of all credential abuse attacks it detected in 2019 were targeted at banks' publicly available APIs.

"Criminals are getting more creative and hyper-focused on how they go about obtaining access to the things they need to conduct their crimes," said Steve Ragan, Akamai security researcher and first author of the State of the Internet / Security report. "Criminals targeting the financial services industry pay close attention to the defences used by these organisations, and adjust their attack patterns accordingly."

Akamai said it had "observed 85,422,079,109 credential abuse attacks" over two years, spanning December 2017 to November last year. Around a fifth of these – 16,557,875,875 – "were against hostnames that were clearly identified as API endpoints". In turn, 473,518,955 of those were categorised as attacks against organisations in the financial services industry.

The firm said in a statement: "On August 7, 2019, Akamai recorded the single largest credential stuffing attack against a financial services firm, in our company's history, consisting of 55,141,782 malicious login attempts. This attack was a mix of API targeting, and other methodologies."

Credential stuffing is where cybercrims take a list of previously breached usernames and passwords and try the list against other websites and services in the hope that some of them might work.

SQL injection attacks accounted for around 72 per cent of all attacks during the two-year period examined in the report. The top attack type against the financial services sector was Local File Inclusion (LFI), Akamai said, accounting for just under half (47 per cent) of observed traffic.

"LFI attacks," it said, "exploit various scripts running on servers, and as a consequence, these types of attacks can be used to force sensitive information disclosure. LFI attacks can also be leveraged for client-side command execution (such as a vulnerable JavaScript file), which could lead to Cross-Site Scripting (XSS)" as well as plain old denial-of-service attacks.

The full report can be found here (PDF). ®

Sponsored: Webcast: Why you need managed detection and response

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020