Akamai report: The financial services industry in Asia Pacific and Japan has suffered more than 3.7 billion attacks, making it the most attacked industry

Akamai report: Financial services industry in Asia Pacific and Japan suffered more than 3.7 billion attacks, still the most attacked industry

As financial institutions in Asia Pacific and Japan expand and accelerate digital innovation, the number of web application and API attacks against these institutions increased by 36%

October 11, 2023 – Akamai Technologies, Inc. (hereinafter referred to as: Akamai), a cloud service provider responsible for supporting and protecting online life, recently released a new issue of the "State of the Internet" report. The title is “Innovation at High Risk: Attack Trends in the Financial Services Industry.” The report highlights the following: The financial services industry in Asia Pacific and Japan remains one of the most attacked industries globally , with the number of web application and API attacks increasing by 36% between Q2 2022 and Q2 2023. %, with a total of more than 3.7 billion times. In addition, the report also found that local file inclusion (LFI) remains the most dominant attack vector, and 92.3% of attacks against the financial industry in Asia Pacific and Japan targeted banks, posing a serious threat to financial institutions and their customers. Huge threat.

As financial services companies in Asia Pacific and Japan open up more channels and provide better customer experiences, they are using more and more third-party scripts, accounting for 40% of the total scripts used. These data points illustrate that as businesses, especially banks and consumer-focused institutions, continue to expand their digital footprints to reach more customers and gain a competitive advantage, they face serious risks.

Reuben Koh, director of security technology and strategy for Asia Pacific and Japan at Akamai, said: "The financial services industry in Asia Pacific and Japan is one of the most innovative and competitive industries in the world. Financial institutions are increasingly turning to third-party scripts , in order to quickly add new products, features and interactive experiences to customers. However, companies often have limited monitoring capabilities and cannot identify the authenticity of these scripts and whether there are potential vulnerabilities, thus creating another layer of risk for the company. "With limited detection capabilities for risky third-party scripts, attackers now have another vector to exploit against banks and their customers."

Akamai's report also found that malicious bot traffic in Asia Pacific and Japan has increased by 128% since 2022, highlighting the continued attacks on customers and their data in the financial services industry. Cybercriminals use bots to increase the scale, efficiency and effectiveness of their attacks. Globally, the Asia-Pacific region and Japan are the second largest attack target regions for malicious bot requests targeting the financial services industry, accounting for 39.7% of all malicious bot requests worldwide. Use cases include scraping website content to impersonate a website branded in the financial services industry to conduct phishing scams, and conducting credential stuffing attacks by automatically injecting stolen usernames and passwords to achieve account takeovers. This shows that attackers are constantly evolving their techniques and are beginning to focus on attacking financial services consumers to gain the greatest return on investment.

Other key findings from the report include:

● Web applications and APIs continue to be the preferred attack vector for attackers in Asia Pacific and Japan. The financial industry accounts for 50% of such attacks, followed by business (19.99%) and social media (8.3 %). 

● Australia, Singapore and Japan are the three most attacked countries in the APJ region, accounting for more than three-quarters of all web application and API attacks. As global financial centers, it is no surprise that businesses in these countries continue to be targeted by large-scale targeted attacks.

● Local file inclusion (LFI) is still the main attack vector, accounting for 63.2% of all attacks, while cross-site scripting (XSS) and PHP injection (PHPi) are ranked second and third, accounting for 21.3% respectively. % and 6.32%. In an LFI attack, an attacker exploits insecure coding practices or actual vulnerabilities on a web server to remotely execute code or access locally stored sensitive information. For example, older PHP-based web servers are more vulnerable to LFI attacks because of existing methods that bypass their input filters. 

● Companies in the financial services industry in Asia Pacific and Japan must continue to be aware of additional regulatory oversight and new reporting obligations. For example, the increasing use of third-party scripts may make it difficult for financial institutions to comply with the requirements of the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0, which will include client-side script monitoring capabilities and management Relevant specific content. Regulators are likely to increasingly enforce new regulations, so businesses must ensure they take these new compliance requirements into account or risk fines or reputational damage.

Koh said: “Financial services companies in Asia Pacific and Japan must remember that as the pace of innovation in the industry accelerates, cybercriminals are always trying to find new and more sophisticated ways to launch cyber attacks. Financial services aggregators and those who The growing number of businesses eager to adopt open banking practices means that future growth in the industry will be even more reliant on the use of APIs and third-party scripts, which will lead to a further expansion of the attack surface."

He concluded: “Financial institutions must focus on protecting new digital products, continuously educate customers on cybersecurity best practices, and invest in smooth user-facing security measures. As regulators implement various policies to strengthen Cybersecurity standards, financial services businesses must also understand and consider new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats.”