36 percent growth in Web application and API attacks against APJ’s financial institutions as they expand and accelerate digital innovation
Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today released a new State of the Internet report, titled The High Stakes of Innovation: Attack Trends in Financial Services. This report highlighted that the financial services sector in Asia Pacific and Japan (APJ) continues to be one of the most attacked industries in the world, experiencing a growth of web application and API attacks by 36 percent from Q2 2022 to Q2 2023 – amounting to over 3.7 billion attacks. The report also found that Local File Inclusion (LFI) remains the top attack vector, and that 92.3 percent of attacks against APJ’s finance sector were targeted at banks, posing a huge threat to both financial institutions and their customers.
Financial services organizations in APJ were also found to be using more third-party scripts as they develop more channels and better customer experiences – with 40 percent of the scripts being third party in nature. These data points show that organizations, especially banks and consumer-centric institutions, are at severe risk as they expand their digital footprint to reach more customers and gain a competitive edge.
“APJ’s financial services sector is one of the most innovative and competitive in the world. Financial institutions are increasingly turning to third-party scripts to quickly add new offerings, features, and interactive experiences for customers. However, businesses usually have limited visibility into the authenticity and potential vulnerabilities of these scripts, introducing yet another layer of risk to the business. Due to this limited visibility of risky third-party scripts, threat actors now have yet another vector to launch attacks against banks and their customers,” explained Reuben Koh, Security Technology and Strategy Director (APJ), Akamai.
Akamai’s report also found that malicious bot traffic in APJ rose 128 percent from 2022, which underscores the continued assault against financial services customers and their data. Cyber criminals use bots to amplify the scale, efficiency, and effectiveness of attacks. APJ is the second-most targeted region in the world for malicious bot requests against financial services, accounting for 39.7% of all malicious bot requests worldwide. Use cases include website scraping to impersonate the websites of financial services brands for phishing scams, and credential stuffing via automated injections of stolen usernames and passwords for account takeovers. This highlights that threat actors are constantly evolving their techniques and have started to focus their attacks on financial service consumers to get the most return on investment.
Other key findings of the report include:
● Web application and APIs remain attack vectors of choice in APJ, with the finance sector accounting for 50 percent of attacks of this category, followed by commerce (19.99 percent) and social media (8.3 percent).
● Australia, Singapore, and Japan were named the top three most targeted countries in APJ, together accounting for more than three-quarters of all web application and API attacks. As global financial hubs, it is no surprise that organizations in these countries continue to experience massive, targeted attacks.
● Local File Inclusion (LFI) remains the top attack vector, accounting for 63.2 percent of attacks – with Cross-Site Scripting (XSS) second at 21.3 percent and PHP Injection (PHPi) at 6.32 percent. LFI attacks exploit insecure coding practices or actual vulnerabilities on a web server to execute code remotely or gain access to sensitive information stored locally. Older PHP-based web servers for example, are more vulnerable to LFI attacks due to existing methods of bypassing its input filters.
● Businesses in the financial services sector in APJ must continue to keep a lookout for additional regulatory oversight and new reporting obligations. For example, the rising use of third-party scripts can make it challenging for financial institutions to meet the requirements of the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0 where there will be specific sections relating to client-side script visibility and management. New regulations may be increasingly enforced, and businesses must ensure they take these new compliance requirements into account or risk fines or reputational damage.
“Financial services organizations in APJ must remember that cyber criminals will always try to find new and more sophisticated ways to launch their cyber attacks as the pace of innovation in this sector increases,” said Koh. “The rising popularity of financial aggregators and especially those organizations keen to adopt open banking practices will mean that the industry will begin to be even more dependent on the use of APIs and third-party scripts moving forward – expanding attack surfaces even further.”
“Financial institutions must focus on securing new digital offerings, continuously educating customers on cyber hygiene best practices, and investing in frictionless security measures for users. As regulators enforce policies to strengthen cybersecurity standards, it is also important for financial services organizations to understand and account for new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats,” he concluded.