Akamai Report: Financial Services in Asia Pacific and Japan Suffered Over 3.7 Billion Attacks, Remains the Most Attacked Industry

Web application and API attacks against financial institutions in Asia Pacific and Japan increased 36% as they expanded and accelerated digital innovation

October 11, 2023 – Akamai Technologies, Inc. (Akamai), a cloud service provider responsible for supporting and protecting online life, recently released a new issue of the "State of the Internet" report, titled "Innovation Meets High Risk: Attack Trends in the Financial Services Industry." The report highlights the following: The financial services industry in Asia Pacific and Japan remains one of the most attacked industries in the world , with the number of web application and API attacks from Q2 2022 to Q2 2023 increasing by 36% to a total of more than 3.7 billion. In addition, the report found that local file inclusion (LFI) remains the top attack vector, and 92.3% of attacks on the financial industry in Asia Pacific and Japan target banks, posing a huge threat to financial institutions and their customers.

As financial services firms in Asia Pacific and Japan expand into more channels and provide better customer experiences, their use of third-party scripts is increasing, in fact, reaching 40% of the total scripts used. These data points indicate that as businesses, especially banks and consumer-centric institutions, continue to expand their digital footprint to reach more customers and gain competitive advantage, they are also facing serious risks.

“The financial services industry in APJ is one of the most innovative and competitive in the world,” said Reuben Koh, Director of Security Technology and Strategy, APJ, Akamai. “Financial institutions are increasingly turning to third-party scripts to quickly add new products, features, and interactive experiences for their customers. However, organizations often have limited monitoring capabilities to identify the authenticity of these scripts and potential vulnerabilities, which introduces another layer of risk. With limited monitoring capabilities for risky third-party scripts, attackers now have another vector to exploit against banks and their customers.”

Akamai's report also found that malicious bot traffic in APJ has increased by 128% since 2022, highlighting the continued attacks on financial services customers and their data. Cybercriminals use bots to increase the scale, efficiency, and effectiveness of their attacks. Globally, APJ is the second-most targeted region for malicious bot requests targeting the financial services industry, accounting for 39.7% of all malicious bot requests worldwide. Application scenarios include scraping website content to impersonate financial services brand websites for phishing scams, and credential stuffing attacks to achieve account takeover by automatically injecting stolen usernames and passwords. This shows that attackers are constantly evolving their techniques and starting to focus on attacking financial services consumers to get the greatest return on their investment.

Other key findings from the report include:

● Web applications and APIs continue to be the top attack vector for attackers in Asia Pacific and Japan, with the financial sector experiencing 50% of such attacks, followed by business (19.99%) and social media (8.3%).

● Australia, Singapore, and Japan are the top three countries in APJ that are attacked the most, collectively accounting for more than three-quarters of all web application and API attacks. As global financial centers, it is no surprise that businesses in these countries continue to be subject to large-scale targeted attacks.

● Local File Inclusion (LFI) remains the leading attack vector, accounting for 63.2% of all attacks, while Cross-Site Scripting (XSS) and PHP Injection (PHPi) rank second and third, accounting for 21.3% and 6.32%, respectively. In an LFI attack, an attacker exploits insecure coding practices or actual vulnerabilities on a web server to remotely execute code or access sensitive information stored locally. For example, older PHP-based web servers are more vulnerable to LFI attacks because there are existing methods to bypass their input filters.

● Businesses in the financial services industry in Asia Pacific and Japan must continue to be mindful of additional regulatory oversight and new reporting obligations. For example, the growing use of third-party scripts may make it difficult for financial institutions to comply with the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0, which will include specific content related to client-side script monitoring capabilities and management. Regulators may become increasingly aggressive in enforcing new regulations, so businesses must ensure that they account for these new compliance requirements or face fines or reputational damage.

“Financial services businesses in APJ must keep in mind that as the pace of innovation in the industry accelerates, cybercriminals are always trying to find new and more sophisticated ways to launch cyberattacks,” said Koh. “The growing number of financial services aggregators and businesses eager to adopt open banking practices means that the industry’s future development will rely more heavily on the use of APIs and third-party scripts, which will further expand the attack surface.”

He concluded: “Financial institutions must focus on protecting new digital products, continuously educate customers on cybersecurity best practices, and invest in frictionless security measures for users. As regulators implement policies to strengthen cybersecurity standards, financial services firms must also understand and consider new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats.”