Financial institutions are hot favorites among cybercriminals, with those in Asia-Pacific among the most targeted by malicious bot requests and API (application programming interface) attacks.
Malicious bot traffic in Asia-Pacific including Japan climbed 128% from last year, as hackers turned to bots for scale, efficiency, and impact. The region was the second-most targeted for malicious bot requests against financial services, accounting for 39.7% of the global total volume, according to Akamai’s latest State of the Internet report.
Such attacks include website scraping to impersonate websites of financial services providers for phishing scams, as well as credential stuffing, during which user credentials such as usernames and passwords are stolen via automated injections to take over accounts.
Asia-Pacific Japan also saw a 36% increase in web application and API attacks, clocking more than 3.7 billion attacks over the past year. Local file inclusion, where vulnerabilities in web servers or applications are exploited to gain access to files stored locally, remains the top attack vector, accounting for 63.2% of all attacks. Cross-site scripting was the second-most popular vector, accounting for 21.3% of all attacks, followed by PHP injection at 6.32%.
The Akamai report noted that 92.3% of attacks against the region’s financial sector were directed toward banks.
The sector also bore half of all web application and API attacks in Asia-Pacific Japan, followed by the commerce sector at 19.99% and social media at 8.3%.
Global financial hubs Australia, Singapore, and Japan were the top three most targeted countries in the region, collectively taking on more than three-quarters of all web application and API attacks.
Akamai noted that financial services institutions will face increasing risks as they expand their digital footprint to gain competitive ground and reach more customers. As it is, 40% of scripts used by these organizations are third-party in nature, as they work to develop more channels and improve customer experience.
Also: The best security keys
“[The region’s] financial services sector is one of the most innovative and competitive in the world, [with] financial institutions increasingly turning to third-party scripts to quickly add new offerings, features, and interactive experiences for customers,” said Reuben Koh, Akamai’s Asia-Pacific Japan security technology and strategy director.
“However, businesses usually have limited visibility into the authenticity and potential vulnerabilities of these scripts, introducing yet another layer of risk to the business,” Koh said. “Due to this limited visibility of risky third-party scripts, threat actors now have yet another vector to launch attacks against banks and their customers.”
He noted that with the growing popularity of financial aggregators and companies adopting open banking practices, the sector will be increasingly dependent on the use of APIs and third-party scripts. This will further widen attack surfaces, he cautioned.
“Financial institutions must focus on securing new digital offerings, continuously educating customers on cyber hygiene best practices, and investing in frictionless security measures for users,” he added. “As regulators enforce policies to strengthen cybersecurity standards, it is also important for financial services organizations to understand and account for new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats.”
Singapore is among the regulators that have taken steps to beef up the digital defense of critical information infrastructures, including the financial sector. It introduced security measures over the past year, following a series of phishing SMS scams that had wiped out victims’ life savings.
Such measures included the need for SMS service providers to check against a registry before sending through messages and for banks to provide a “kill switch”, allowing customers to quickly suspend their accounts should they suspect a security breach.
More Singapore banks roll out anti-malware feature
More recently, Singapore banks began introducing an anti-malware feature that locks out account access if mobile apps downloaded from unofficial app stores are detected on the user’s device. OCBC, which was involved in the phishing scams, was the first to launch the feature last month, but took on some backlash when customers found themselves unable to access their accounts despite only having downloaded legitimate apps onto their devices.
Two other local banks — DBS and UOB — this week followed suit, rolling out the anti-malware security feature, restricting customers’ access to their respective banking apps if apps from third-party and unauthorized sites are detected. Permission settings deemed “risky” that have been enabled on the user’s device also will result in restricted access.
In all cases, customers will have to disable such permission settings or uninstall apps identified as unauthorized before they can access their bank’s app or digital services.
In a note to its customers on the new security measures, UOB said: “We will be restricting access to UOB TMRW app when screen-sharing or when mobile apps with risky permissions are detected, as this may compromise your banking and personal information…These security measures are necessary to protect you from exposure to malware scams. We value your privacy. You can be assured these new features do not monitor your phone activity, collect or store any personal data.”
If unauthorized apps are detected, an error screen will pop up on UOB customers’ devices, highlighting the name of the app, and the session will be terminated. An error message also will be displayed if external apps or tools are detected attempting to access the bank’s app. Users will have to stop screen-sharing on the other app or tool, in order to continue using the UOB app.