The financial services sector in Asia Pacific and Japan (APJ) continues to be one of the most attacked industries in the world. It saw a 36% increase in web application and API (application programming interface) attacks from Q2 2022 to Q2 2023, amounting to over 3.7 billion attacks.
The High Stakes of Innovation: Attack Trends in Financial Services report by Akamai also reveals that Local File Inclusion (LFI) remains the top attack vector, and that 92% of attacks against APJ’s finance sector were targeted at banks. LFI attacks exploit insecure coding practices or actual vulnerabilities on a web server to execute code remotely or gain access to sensitive information stored locally. Older web servers based on PHP (Hypertext Preprocessor), for example, are more vulnerable to LFI attacks due to existing methods of bypassing its input filters.
Besides that, financial institutions should be concerned about malicious bots. APJ is the second-most targeted region for malicious bot requests against financial services, accounting for 39.7% of all malicious bot requests worldwide.
Use cases include website scraping to impersonate the websites of financial services brands for phishing scams, and credential stuffing via automated injections of stolen usernames and passwords for account takeovers. This highlights that threat actors are constantly evolving their techniques and have started to focus their attacks on financial service consumers to get the most return on investment.
The report also found that financial services organisations in APJ are using more third-party scripts as they develop more channels and better customer experiences. This can make it challenging for them to address new reporting obligations, such as meeting the requirements of the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0 where there will be specific sections relating to client-side script visibility and management.
“Financial institutions are increasingly turning to third-party scripts to quickly add new offerings, features, and interactive experiences for customers. However, businesses usually have limited visibility into the authenticity and potential vulnerabilities of these scripts, introducing yet another layer of risk to the business. Due to this limited visibility of risky third-party scripts, threat actors now have yet another vector to launch attacks against banks and their customers,” warns Reuben Koh, Akamai’s security technology and strategy director for APJ.
See also: Tesla Cybertruck to go on tour in China to burnish tech cred
He continues: “Financial institutions must focus on securing new digital offerings, continuously educating customers on cyber hygiene best practices, and investing in frictionless security measures for users. As regulators enforce policies to strengthen cybersecurity standards, it is also important for financial services organisations to understand and account for new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats.”