Brought to you by:

Financial services sector hit with more credential stuffing attacks

Facebook Twitter LinkedIn Google

About 3.4 billion credential stuffing attacks were  aimed  at the  financial services sector globally  last year, an increase of  45% from 2019, according to a  new report from Akamai Technologies.

Globally there were 193 billion such attacks last year, the firm says in its annual  State of the Internet/Security report.

Credential stuffing is a type of cyber attack where perpetrators  use lists of compromised user  credentials  to hack  into a system. The  attack  uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services.

Akamai says  passwords have always been a weak link in the security chain, and criminals won’t hesitate to exploit that weakness.

“Looking back at the year, all of these instances can be linked to events happening in the criminal economy at the time,” the  report said.

“Millions of new usernames and passwords, tied to several notable incidents in Q1 and Q2 of 2020, as well as some in Q3, started circulating among criminals on several forums.

“Once these compromised credentials were in circulation, they were sorted and tested against brands across the internet, including several financial institutions.”

Akamai says in Australia and New Zealand, there has been a marked increase in the number of automated application-layer attacks targeting insurers.

These attacks are designed to scrape organisational data, or worse still, to utilise stolen credentials for the purpose of fraudulently accessing customer data and accounts directly.

“It is increasingly common to see the same bots attacking Australian and New Zealand insurers as other insurance organisations in the region, and globally,” Regional Manager Financial Services James Richmond told

He says insurers are also being targeted by phishing and malware attacks focused on employee, contractor, and third-party credential abuse and fraud.

Australian insurers are responding to the escalating threat, actively exploring more advanced solution options to combat the danger, while ensuring their remote employees’ productivity and ease of systems access are not sacrificed.

He says insurers in Australia are very proactive when it comes to risk management.

“Security teams at Australian insurance companies, and in financial services more broadly, continue to collaborate and communicate with each other effectively, which helps protect the industry against common threats,” Mr Richmond said.

“This is a critical part of Australian financial services’ defensive ecosystem, because as long as one insurer is vulnerable, cyber criminals will continue to target other companies in the sector.”

The report says the financial services sector also saw a  record 63.56 million credential abuse attacks globally. Credential abuse is a byproduct of phishing, often carried out with the  aim of taking over an account.

According to the report,  phishing is now a turnkey business, even offered as a hosted solution for criminals who wish to leverage phishing-as-a-service developments.

SMS phishing in particular has emerged as a global problem. As the mobile text messaging service remains widely used, perpetrators see an opportunity to exploit it to trick unsuspecting users.

The perpetrators do it by  inundating  users’  phones  with phishing messages impersonating banks,  entertainment channels, package delivery  services online retailers and others.

“While mobile users are progressively more  aware of malicious messages on email and  social networks, many inherently trust texts, and  threat actors have ample opportunity to exploit  this dynamic,” the report said.

“To preserve the integrity of the text message  medium and to protect the user experience,  everyone needs to understand this growing threat  while working to guard against its proliferation.”

Click  here for the report.