Enemy at the Gates: Analyzing Attacks on Financial Services

Financial services is among the industries that have been the heaviest hit by cybercrime — from the heyday of the Zeus and other banking trojans to Distributed Denial-of-Service (DDoS) attacks, modern phishing attacks, and ransomware. FinServ is a vital sector that plays a major role not only in the lives of people, but also in the global economy. 

Any disruption or downtime of financial services carries serious implications, and the sensitive data these organizations hold can be turned into a valuable commodity. Attackers, therefore, see FinServ as a lucrative target and levy a wide range of attacks against them, from newly discovered zero-day vulnerabilities, to tried-and-true phishing attacks. 

An immense surge in cyberattacks

It’s no secret, then, that cyberattackers are highly focused and motivated to attack the FinServ industry. Traditionally, the Financial Services State of the Internet (SOTI) report has picked a topic like phishing or fraud, but this time we have taken a much broader approach and cover a number of issues affecting this often attacked industry.

This broader lens has allowed us to see the immense surge in the number of cyberattacks on the financial services industry, and the alarming speed at which attackers are leveraging newly discovered zero-day vulnerabilities. 

Customers of FinServ aren’t spared either, with a large portion of attackers choosing to forgo attacks on one of the most secure industries in the world, and instead attack their consumers en masse. 

Key points of the SOTI report 

With this enemy standing at the gate, it is important for FinServ security professionals to understand how the threat landscape is shifting. Our report includes these key points: 

• The financial services consistently ranks in the top 3 targeted verticals for Web App and API, zero-days, and DDoS attacks. 

• FinServ Web App and API attacks surge 3.5x in year-over-year attacks, the highest growth of any major industry.

• Within 24 hours, exploitation of newly discovered zero-days against Finserv reaches multiple thousands of attacks per hour, and peaks quickly, affording little time to patch and react.

• A significant increase in Local File Inclusion (LFI) and Cross-Site Scripting (XSS) attacks demonstrate how attackers are shifting toward remote code execution attempts that present a larger strain on internal network security.

• Abuse of Finserv customers is rampant, with over 80% of Finserv attackers focusing on customer accounts rather than the organizations themselves, either directly or via phishing-related activities.

• Phishing campaigns (like Kr3pto) are introducing techniques that bypass 2FA solutions using one-time password tokens or push notification.

Understanding an expanding threat surface

Web application and API attacks have seen a 257% increase over the past 12 months. The surge in these attacks may be attributed to several attack vectors, including LFI and XSS. This is relevant because attackers could be using such attack vectors to gain a foothold in your network or as a means of effective reconnaissance. 

This also raises the importance of securing web apps since vulnerabilities therein could be used as an entry point to breach target organizations. This can also be an important finding for teams looking to more effectively pen test their networks.

Addressing zero-day vulnerabilities

Based on our research, FinServ is one of the first and most attacked industries when new or emerging vulnerabilities are discovered (zero days). The exploitation of new and emerging vulnerabilities can begin within 24 hours of disclosure and peak quickly, as in the case of Confluence vulnerability (CVE-2022-26134). Therefore, it becomes a race against time to address these security flaws before attackers start exploiting them to launch attacks. 

Our research also finds that DDoS continues to be a source of concern to financial services (the second most DDoSed industry globally). An effective DDoS attack causes a business to become an island cut off from the rest of the internet. Customers are unable to access accounts, and downtime, business disruption, and recovery from such attacks could mean financial loss to the organization. 

While DDoS attacks in FinServ have remained steady this year, we’ve observed a “regional shift” as the volume of DDoS attacks against the United States has lessened. Meanwhile, EMEA attack volume has increased, despite the lower overall number of targets. 

Financial services customers in the crosshairs 

An examination of attackers reveals that more than 80% of attackers are aiming their attacks at customers of financial services rather than the institutions, either directly or indirectly. This could be attributed to both account takeover (ATO) and web scraping attacks. 

Account takeover attacks are aimed directly at customers, while website scraping attacks are used primarily to create phishing scams and build kits that closely mimic websites. To further prove this point, we also see a rising number of botnet activity (an 81% increase) due to ATO and web scraping–related attacks. 

Understanding how the financial services industry is targeted, how their customers are being attacked, and with what types of attacks, can help organizations secure their data, network, and customers. We encourage you to use this information to review areas to reevaluate risk in your program or inform your threat intel and exercise teams.