Cybercriminals are changing how they target financial institutions this holiday season: some 80% of them are going after vulnerable customers rather than the institutions themselves.

A new report from Akamai also found a massive 257% increase in the number of web applications and API attacks against the financial services sector in the past year.

Other important findings include:

  • Customer account takeover attempts represent more than 40% of attack types, with another 40% focusing on website scraping used to create more convincing phishing scams.
  • Within a 24-hour span, exploitation of newly discovered zero-day vulnerabilities against financial services reaches multiple thousands of attacks per hour and peaks quickly — affording little time to patch and react.
  • Phishing campaigns against financial services customers are introducing techniques that bypass two-factor authentication solutions and increase risk for everyday customers.

Steve Winterfeld, advisory CISO at Akamai, said the shift to attacking APIs means that security teams must focus on testing and close monitoring, adding that in some cases that may require new capabilities or skill sets.

“During high traffic times often driven by holidays we will see increases in attacks trying to hide in the increased volume, Winterfeld said. “The insights on customer-focused attacks also provides companies with critical information on where they need to reevaluate how they are categorizing attacks and tracking fraud trends. Fraud prevention is moving into cybersecurity where it can be prevented at the edge."

Teresa Walsh, global head of intelligence for the Financial Services Information Sharing and Analysis Center added that the data in Akamai’s report underscores the harsh realities security professionals in the financial services industry face every day.

“With next-generation technology amplifying attack volume and sophistication for financial services organizations, sharing threat intelligence and security best practices is especially critical to protecting the sector and its customers,” Walsh said.

Scott Gerlach, co-founder and chief security officer at StackHawk, said threat actors will go after anything that can gain them assets, such as money, information, or fame — subsequently, banking customers and their personal assets fall under that category. Gerlach said many organizations are still taking API security into consideration too late after the API has been shipped to production or they are using legacy security tooling that isn't built to test APIs thoroughly.

“Both methods leave vulnerabilities undiscovered and create gaps in protection— and that's exactly what threat actors are looking for,” said Gerlach. “Organizations have to scale API security practices along with the increase in API usage. That means security and engineering teams partnering early in the software development lifecycle to understand what APIs are being developed, what data they handle, and how to best test the APIs for potential security issues early and often.”

David Maynor, senior director of threat intelligence at Cybrary, said Akamai’s findings align with what he has seen in the wild. Maynor said the surge in attacks shows that the threat actors targeting FinServ know the huge windfall they will have if they are successful.

“This also says to me personally that the attackers have selected their victims and are trying to find tools and attacks to penetrate the victim,” Maynor said. “This targeting pattern is rare and the reverse of what’s generally observed: lazy attackers using a tool or exploit they have to compromise victims opportunistically.”