About 3.5 billion phishing attempts were made over 18 months (December 2017 to June 2019), and 50% of organisations impacted by the attacks were from the banking and financial services (BFSI) sector, according to cloud service provider and research firm Akamai.
Between December 2, 2018 and May 4, 2019, Akamai discovered 197,524 phishing domains out of which 66% targeted consumers directly, says the report Akamai’s 2019 State of the Internet / Security Financial Services Attack Economy.
Phishing is an attempt to gain confidential information by disguising oneself as a trustworthy entity. Credential stuffing refers to acquiring large amounts of login data through fraudulent ways and gaining unauthorised access to accounts via large scale automated login requests.
As many as 50% of the attacks against consumers were done through BFSI portals, the study said.
“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet / Security Report.
Criminals extract data from credential stuffing, which is then used to make phishing attacks much easier, McKeay added.
“One way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers,” McKeay said.
To process the data, hackers use what is known as bank drops — usage of packages of data to fraudulently open accounts at a given financial institution, the research found.
Bank drops typically include the victim’s stolen identity, referred to by the slang fullz by online criminals. The details include name, address, date of birth, social security details, driver’s license information and even credit scores.
About 94% of attacks against the BFSI sector are based on one of four methods— local file inclusion ( LFI), cross-site scripting (XSS), SQL injection (SQLi) and OGNL Java Injection.
These four methods gained notoriety during the Apache Struts incident from April 2018 where the web application was found deeply vulnerable to remote code executions, i.e. gaining access to a device remotely.