Cloud SecurityPress ReleaseThreat Detection & Defense

Akamai Report: APJ’s Financial Sector Endures 3.7 Billion Attacks, Tops Target List

Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, released a new State of the Internet report, titled The High Stakes of Innovation: Attack Trends in Financial Services. This report highlighted that the financial services sector in Asia Pacific and Japan (APJ) continues to be one of the most attacked industries in the world, experiencing growth of web application and API attacks by 36% from Q2 2022 to Q2 2023 – amounting to over 3.7 billion attacks. The report also found that Local File Inclusion (LFI) remains the top attack vector and that 92.3% of attacks against APJ’s finance sector were targeted at banks, posing a huge threat to both financial institutions and their customers.

Financial services organizations in APJ were also found to be using more third-party scripts as they developed more channels and better customer experiences – with 40% of the scripts being third-party in nature. These data points show that organizations, especially banks and consumer-centric institutions, are at severe risk as they expand their digital footprint to reach more customers and gain a competitive edge.

“APJ’s financial services sector is one of the most innovative and competitive in the world. Financial institutions are increasingly turning to third-party scripts to quickly add new offerings, features, and interactive experiences for customers. However, businesses usually have limited visibility into the authenticity and potential vulnerabilities of these scripts, introducing yet another layer of risk to the business. Due to this limited visibility of risky third-party scripts, threat actors now have yet another vector to launch attacks against banks and their customers,” explained Reuben Koh, Security Technology and Strategy Director (APJ), Akamai.

Akamai’s report also found that malicious bot traffic in APJ rose 128% from 2022, which underscores the continued assault against financial services customers and their data. Cybercriminals use bots to amplify the scale, efficiency, and effectiveness of attacks. APJ is the second-most targeted region in the world for malicious bot requests against financial services, accounting for 39.7% of all malicious bot requests worldwide. Use cases include website scraping to impersonate the websites of financial services brands for phishing scams, and credential stuffing via automated injections of stolen usernames and passwords for account takeovers. This highlights that threat actors are constantly evolving their techniques and have started to focus their attacks on financial service consumers to get the most return on investment.

Other key findings of the report include:

  • Web applications and APIs remain attack vectors of choice in APJ, with the finance sector accounting for 50% of attacks in this category, followed by commerce (19.99%) and social media (8.3%).
  • Australia, Singapore, and Japan were named the top three most targeted countries in APJ, together accounting for more than three-quarters of all web application and API attacks. As global financial hubs, it is no surprise that organizations in these countries continue to experience massive, targeted attacks.
  • Local File Inclusion (LFI) remains the top attack vector, accounting for 63.2% of attacks – with Cross-Site Scripting (XSS) second at 21.3% and PHP Injection (PHPi) at 6.32%. LFI attacks exploit insecure coding practices or actual vulnerabilities on a web server to execute code remotely or gain access to sensitive information stored locally. Older PHP-based web servers, for example, are more vulnerable to LFI attacks due to existing methods of bypassing its input filters.
  • Businesses in the financial services sector in APJ must continue to keep a lookout for additional regulatory oversight and new reporting obligations. For example, the rising use of third-party scripts can make it challenging for financial institutions to meet the requirements of the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0 where there will be specific sections relating to client-side script visibility and management. New regulations may be increasingly enforced, and businesses must ensure they take these new compliance requirements into account or risk fines or reputational damage.

“Financial services organizations in APJ must remember that cybercriminals will always try to find new and more sophisticated ways to launch their cyber-attacks as the pace of innovation in this sector increases,” said Koh. “The rising popularity of financial aggregators and especially those organizations keen to adopt open banking practices will mean that the industry will begin to be even more dependent on the use of APIs and third-party scripts moving forward – expanding attack surfaces even further.”

“Financial institutions must focus on securing new digital offerings, continuously educating customers on cyber hygiene best practices, and investing in frictionless security measures for users. As regulators enforce policies to strengthen cybersecurity standards, it is also important for financial services organizations to understand and account for new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats,” he concluded.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *