Akamai Security Report: Using Your Data Against You

• Attackers collating stolen personal data for credential stuffing & bank drops
• Significant number of 58 billion malicious login attempts originate from SEA

Attackers are now using a variety of strategies to leverage stolen personal data to compromise finance and banking services on the Internet. These include trying to identify potential passwords based on a user’s history, and using stolen identities to open bank accounts. Perhaps surprisingly, a significant number of these attacks originate from Southeast Asia.

This was among the findings of Akamai's 2019 Security Financial Services Attack Economy Report, using data gathered from the Akamai Intelligent Edge Platform between 1 Nov 2017 and 30 April 2019. The report also notes that alerts generated and attempts detected do not necessarily imply a successful compromise.

Nevertheless, the report comes to several conclusions, including that about half of all phishing attacks targeted at individuals are from the financial services sector. Successful phishing attacks result in data collected by the attackers that can be used further follow-up attacks.

"We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers," said Martin McKeay, Security Researcher at Akamai and Editorial Director of the State of the Internet / Security Report.

"Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create.”

Credential stuffing takes advantage of password reuse

Credential stuffing is when an attacker attempts to gain illicit access to an individual’s account by using lists of usernames, emails and passwords of the same individual obtained from other sources. These efforts bring dividends because users tend to reuse passwords on different accounts.

Akamai's report states that nearly 58 billion malicious login attempts were observed over the 18-month period of study, including more than 3.5 billion targeted against financial services organizations.

A worrying development is that credential stuffing attacks are beginning to leverage permutations, effectively guessing new passwords based on patterns seen in older ones. In a given example, if a compromised password is "Scott123", a permuted list will include "scott123", "Scott321" and "Scott1234".

Credential stuffing is popular in part because it’s so cheap for attackers to engage in. The report states that a list of 50,000 emails and passwords can be bought for around US$5.50. Meanwhile, software used to automate credit stuffing is available for very cheap (about US$20), and can be customised for individual targets.

Bank drops create fake bank accounts for cash out purposes

Another way stolen personal data is used is through the implementation of "bank drops". These are accounts under the guise of some other person which are used to funnel illegally-gotten gains into, and then subsequently cash out.

Such data and services are offered over the dark web as packages and can be relatively sophisticated. For example, for US$150 per account, you can get a username, password, security questions and answers, account numbers and a VoIP or SIM Card that can be used to receive SMS for verification.

More expensive options may include a mail drop where bank cards can be delivered, or a detailed identity kit including previous employment records, and information of the person's relatives for verification purposes.

Southeast Asia a launchpad for malicious logins

What may be surprising to many is that Southeast Asian countries represent a significant source of malicious login attempts (including credit stuffing attacks).

Thailand, Indonesia, Vietnam, Malaysian and Singapore all feature in the top 20 source countries from where malicious logins originate, while Malaysia is third highest when looking at attacks against financial services in particular.

This is consistent with Akamai’s 2018 report which identified Indonesia as one of the three markets with major sources of credential abuse for the hospitality industry, while Singapore was on of the top five countries in the Asia Pacific region with the largest source of web application attacks. (This year, Singapore ranks third in Asia Pacific as a source of web application attacks, and 15th in the world.)

It is also consistent with a 2016 report by Cisco and AT Kearney that stated that “ASEAN countries are being used as launchpads for cyberattacks”, while highlighting that Malaysia had over 3.5 more suspicious web activity than would be expected for its size.

The global nature of these cyberattacks underline the seriousness for all companies across the world. “Every organization should be paying attention to the attacks targeting financial services systems,” said McKeay. “Like many of the warnings we see in security, it’s not a matter of if your data and systems are going to be targeted, it’s a matter of when.”