A new report about online security finds that 50% of phishing domains that researchers tracked mimicked the Web sites of financial-services companies.
The findings come from the “State of the Internet/Security” report released Wednesday by Cambridge, Mass.-based Web-services provider Akamai Technologies. Forever a favorite of criminals, banks and other financial organizations have to contend with phishing—emails or links intended to fool legitimate customers into visiting dummy Web sites where fraudsters can obtain account credentials or other personal data—as well as credential stuffing, Web attacks, and password-management attempts.
But it’s phishing that’s really been active in recent months. Of the 197,524 phishing domains Akamai detected between Dec. 2, 2018, and May 4, 2019, 66% of them targeted consumers and 34% went after enterprises.
“Phishing is probably one of the biggest customer-facing problems financial-services organizations face,” says Martin McKeay, a security researcher at Akamai and the report’s editorial director, in an email to Digital Transactions News. “Because there is little control over the endpoints customers use to do their banking on, the defenses have to be on the bank’s systems. Another growing area of concern is the APIs (application programming interfaces) all organizations use to allow system-to-system communication. Many organizations haven’t recognized the vulnerability of APIs and haven’t put the same level of defense around those logins as they have customer logins.”
Phishing attacks are not to be dismissed, the report says. They can harm brand reputations and place customer identities and financial security at risk with each successful attack.
“The trend in phishing is to continue mirroring the content and appearance of the organizations they’re targeting as much as possible,” McKeay says. “This requires constant updates to the phishing kits. As defenders learn to use [domain name systems] more effectively to stop customers from visiting phishing sites, criminals are using more advanced techniques to create fake domain names to circumvent controls. It’s becoming more common to see phishing campaigns that last hours and disappear before many organizations can react, instead of days or weeks.”
Within the financial segment, Web attacks against banks accounted for 50.6% of all attacks while cards and payments was second at 15.7%. Insurance rounded the top three at 14.5%.
In another data point, the United States led with the most credential-stuffing attacks, followed by China, Malaysia, Brazil, and Germany in the top five. In credential stuffing, criminals pull information from a database containing valid passwords and user names and attempt to get into a consumer’s online accounts, without much operator action.
“Interestingly, the U.S. is almost always the top source and destination of attack traffic,” McKeay says. “In comparison, the Netherlands is mostly an exporter of attack traffic, while Brazilian traffic is kept internal to the country.”
No one should expect an easing of attacks, the report concludes. “The attacks on financial services are a real, constant threat, and consumers need to be just as aware of the problems as banks themselves,” McKeay says.
The report includes data from more than 230,000 servers around the world in the Akamai Intelligent Edge Platform.