Akamai Technologies‘ research highlights a troubling trend: Cybercriminals are targeting application programming interfaces (APIs) at financial services firms. In the “Akamai 2020 State of the Internet Security” report, the company said up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.

In API targeting, Akamai said in an email, criminals use bots and tools that allow threading, or multiple simultaneous connections, to attempt multiple logins at once. By targeting the APIs, they hope to avoid some front-end defenses and speed up their validation times.

The research findings reveal that from May 2019 until the end of the year, there was a dramatic shift toward criminals targeting APIs.

From December 2017 through November 2019, Akamai observed 85.42 billion credential abuse attacks. Nearly 20%, or 16.55 billion, were against hostnames that were clearly identified as API endpoints. Of these, 473.5 million attacked organizations in the financial services industry.

Credential abuse attacks start when criminals take lists of usernames/passwords, called combo lists, and attempt to log into services and platforms of all kinds. The attacks are conducted via bot or all-in-one applications and are designed to mimic a person logging into a given service or platform — much as a server would view you logging into your email account or bank. The goal of these attacks is fraud and account takeover. Sometimes they are used to steal information, and they can also be used to commit financial fraud.

But not all attacks were exclusively API-focused. On August 7, 2019, Akamai recorded the single largest credential stuffing attack against a financial services firm in its records. The attack consisted of 55.1 million malicious login attempts and used a mix of API targeting and other methodologies. On August 25, in a separate incident, the criminals targeted APIs directly in a run that consisted of more than 19 million credential abuse attacks.

Steve Ragan, Akamai security researcher and principal author of the 2020 report, said in a statement that criminals are getting more creative in obtaining access to the information they need. He said criminals targeting the financial services industry pay close attention to the defenses used by these organizations and adjust their attack patterns accordingly. They’re also willing to adapt, which is why API attacks have grown by 75% over recent months, why local file inclusion (LFI) became the top web attack method, and why more than 40% of the unique distributed denial of service (DDoS) attacks observed in the report were against financial services.

Indicative of this fluid attack dynamic, the report shows that criminals continue to employ a number of methods in order to gain a stronger foothold on the server and ultimately achieve success.

SQL Injection (SQLi) accounted for more than 72% of total attacks when looking at all verticals during the 24-month period observed by the report. That rate is halved to 36% when looking at financial services attacks alone. The top attack type against the financial services sector was LFI, with 47% of observed traffic.

LFI attacks exploit various scripts running on servers, and these types of attacks can consequently be used to force sensitive information disclosure. LFI attacks can also be leveraged for client-side command execution (such as a vulnerable JavaScript file), which could lead to Cross-Site Scripting (XSS) and DDoS attacks. XSS was the third-most common type of attack against financial services, with a recorded 50.7 million attacks, or 7.7% of the observed attack traffic.

The report also shows that criminals continue to leverage DDoS attacks as a core component of their arsenal, particularly in targeting financial services organizations. Akamai’s observations from November 2017 to October 2019 show the financial services industry ranking third in attack volume, with gaming and high tech segments the most common targets. However, more than 40% of the unique DDoS targets were in the financial services industry, which makes this sector the top target when considering unique victims.

“Security teams need to constantly consider policies, procedures, workflows, and business needs — all while fighting off attackers that are often well organized and well-funded,” Ragan said. “Our data shows that financial services organizations are constantly improving by adopting fluid security postures, forcing criminals to change their tactics.”