Criminals have dedicated a good deal of energy and resources toward advancing the phishing economy.
In May 2020, there were two dates that stood out when it comes to global cybersecurity issues. On May 9, credential abuse hit a peak of 786,882,475 attacks globally. Five days later, on May 14, the financial services sector saw its own record peak — 47,698,955 attacks. Later in the year, global credential abuse spiked again, reaching a peak of 1,003,963,614 attacks.
The financial services sector also set a new record of 63,558,042 credential abuse attacks. Looking back at the year, all of these instances can be linked to events happening in the criminal economy at the time.
Millions of new usernames and passwords, tied to several notable incidents in Q1 and Q2 of 2020, as well as some in Q3, started circulating among criminals on several forums. Once these compromised credentials were in circulation, they were sorted and tested against brands across the internet, including several financial institutions.
According to Akamai’s recently released report about 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations specifically — an increase of more than 45 per cent year-over-year in the sector.
Nearly 6.3 billion web application attacks in 2020, with more than 736 million targeting financial services — which represents an increase of 62 per cent from 2019.
SQL Injection (SQLi) attacks remained in the top spot across all business types globally, making up 68 per cent of all web application attacks in 2020, with Local File Inclusion (LFI) attacks coming in second at 22 per cent. However, in the financial services industry, LFI attacks were the number one web application attack type in 2020 at 52 per cent, with SQLi at 33 per cent and Cross-Site Scripting at 9 per cent.
Over the past three years (2018-2020), DDoS attacks against the financial services sector grow by 93 per cent, indicating that systemic disruption remains an objective for criminals, who target services and applications required for daily business.
Threat intelligence collaboration
For this report, Akamai partnered with threat intelligence company WMC Global. The researchers at WMC Global are experts at understanding SMS phishing (smishing) and the toolkits that criminals devise to make their attacks possible. This unique collaboration examined two specific phishing kits: ‘Kr3pto’ and ‘Ex-Robotos’.
“The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry,” said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. “Criminals use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal. By targeting banking customers and employees in the sector, criminals increase their pool of potential victims exponentially.”
The Kr3pto phishing kit, which targets financial institutions and their customers via SMS, has been observed spoofing 11 brands in the UK, across more than 8,000 domains since May 2020. WMC Global tracked more than 4,000 campaigns linked to Kr3pto targeting victims via SMS messaging over 31 days in Q1 2021.
Ex-Robotos is a phishing kit that essentially sets a benchmark when it comes to corporate credential phishing. According to data from the Akamai Intelligent Edge Platform, there were more than 220,000 hits to the API IP address used for Ex-Robotos over a span for 43 days. In fact, traffic to that address reached a peak of tens of thousands of hits per day on average between January 31 and February 5, 2021.