Credential stuffing, web app attacks bombard financial services amid contagion

Financial services providers suffered a bombardment of credential stuffing and web application attacks as the COVID-19 pandemic raged in 2020, according to Akamai’s latest State of the Internet security report.

Last year, Akamai saw 193 billion credential stuffing attacks globally, translating to 22 million attacks an hour. Of these, 3.4 billion hit financial services firms specifically, an increase of more than 45% year-over-year in the sector.

Also, Akamai observed nearly 6.3 billion web application attacks, with more than 736 million targeting financial services, an increase of 62% from 2019.

SQL Injection (SQLi) attacks remained in the top spot across all business types globally, making up 68% of all web application attacks in 2020, with Local File Inclusion (LFI) attacks coming in second at 22%. 

However, in the financial services industry, LFI attacks were the No. 1 web application attack type in 2020 at 52%, with SQLi at 33% and Cross-Site Scripting at 9%. 

For this report, Akamai partnered with threat intelligence company WMC Global to examine two specific phishing kits: “Kr3pto” and “Ex-Robotos.”

“By partnering with WMC Global for this report, we were able to expand on our existing coverage of the financial sector and offer a wider range of details into the attacks that financial organizations face on a daily basis,” said Steve Ragan, Akamai security researcher and author of the report.

The Kr3pto phishing kit, which targets financial institutions and their customers via SMS, has been observed spoofing 11 brands in the United Kingdom, across more than 8,000 domains since May 2020. 

WMC Global tracked more than 4,000 campaigns linked to Kr3pto targeting victims via SMS messaging over 31 days in the first quarter of 2021.

Ex-Robotos is a phishing kit that essentially sets a benchmark when it comes to corporate credential phishing. According to data from the Akamai Intelligent Edge Platform, there were more than 220,000 hits to the API IP address used for Ex-Robotos over a span for 43 days.

“Kits like Kr3pto and Ex-Robotos are just two of the many kits targeting corporations and consumers today,” said Jake Sloane, senior threat hunter at WMC Global. 

“It’s important to remember that employees are consumers too, and with the prevalence of work from home, as well as mobile device usage in corporate environments, criminals are not shy about attacking people no matter where they are, which explains the recent growth in SMS-based phishing attacks,” said Sloane.