Banks, investment firms and other financial services and insurance (FSI) companies suffered from a massive boost in cybercriminals’ attention during 2020, according to a new analysis that identified 3.4 billion credential-stuffing attacks targeted at FSI firms alone.

That included a 45 per cent year-on-year jump in credential stuffing – in which cybercriminals use stolen login credentials to access key business applications – and saw FSI companies copping up to 47.7 million credential-stuffing attacks in a single day.

“We saw an overall increase in every single area of our coverage with customers,” Akamai APJ head of security technology and strategy Fernando Serto told Information Age as the company released its latest State of the Internet report, entitled Phishing for Finance and co-developed with security research firm WMC Global.

Akamai, whose global network carries over 20 per cent of the world’s web traffic, last year observed 193 billion credential-stuffing attacks and saw a 62 per cent boost in attacks on web applications, with over 736m targeting FSI companies.

The company also observed 93 per cent growth in distributed denial of service (DDoS) attacks over its network between 2018 and 2020, including a 15 per cent surge in 2020 alone.

Such high growth, report author and Akamai security researcher Steve Ragan wrote, indicated that “systemic disruption remains an objective for criminals, who target services and applications required for daily businesses”.

“The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry,” he said, warning that cybercriminals “use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal.”

This included newly developed phishing kits like Kr3pto and Ex-Robotos, a cybercrime tool that Ragan said “essentially sets a benchmark when it comes to corporate credential phishing” by ‘phoning home’ to its cybercriminal masterminds over 220,000 times in 43 days.

Not just the banks

Most traditionally associated with cleverly crafted deceptive emails, phishing proved financially successful for cybercriminals who piggybacked the massive disruption of the COVID-19 pandemic, peppering victims with email, social-media lures and SMS ‘smishing’ messages.

“To see how creative attackers have gotten over a year has shown us the amount of change and creativity that exists,” Serto said, “and it has forced people to be a bit more creative in the way they engage.”

Part of banks’ increased attack surface during 2020 came from the widespread shutdown of physical locations, with banks pushing customers to fully digital interactions through digital payments and Internet banking.

Yet banks, ANZ regional manager for financial services James Richmond noted, were harder targets for cybercriminals than the rest of the FSI industry – where, he said, “we’ve seen the same threat vectors and same trends applied” as cybercriminals expand their horizons away from relatively well-defended major banks.

“The further away you get from a major bank,” Richmond said, “the more legacy architecture they’re coping with as an organisation – and, potentially, the more holes there are for malicious actors to exploit.”

“We spent a lot of time last year helping organisations that we typically hadn’t worked with a lot before – and they were seeing threat vectors that they had never been exposed to before, being outside of the four major banks.”

Cybercriminals intensively poked and prodded widely used web applications, with old favourites like SQL injection attacks still proving successful and “short bursts of little campaigns to test a lot of this infrastructure” standing out in monitoring data.

Akamai noted five “notable” seasonal peaks in the second half of 2020 as cybercriminals stepped up their attacks in the runup to the holiday shopping season.

Web attacks on FSI applications spiked at 33.9m attacks on 28 September, with many generated by ‘phishing-as-a-service’ kits such as U-Admin – said by the Australian Federal Police to be responsible for half of all phishing attacks in Australia in 2019.

U-Admin’s alleged Ukrainian author was arrested in February in a joint Australian Federal Police (AFP)-FBI takedown executed in large part thanks to Australia’s largest banks – who, the AFP said, helped investigators by “identifying and tracking the anomalies in customers’ transactions and identifying victims of these phishing scams”.

The arrest “is a clear message to cybercriminals everywhere,” AFP commander cybercrime operations Chris Goldsmid said. “It doesn't matter if you live in Australia or across the world… your activities are being targeted by multiple law enforcement agencies."