Akamai Report: Financial Services in Asia Pacific and Japan Suffered Over 3.7 Billion Attacks, Remains the Most Attacked Industry​

October 11, 2023 – Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud services provider responsible for supporting and protecting online life, recently released the latest edition of the "State of the Internet" report, titled "Innovation Meets High Risk: Attack Trends in the Financial Services Industry." The report highlights the following: The financial services industry in Asia Pacific and Japan remains one of the most attacked industries in the world, with the number of web application and API attacks from Q2 2022 to Q2 2023 increasing by 36% to a total of more than 3.7 billion. In addition, the report also found that local file inclusion (LFI) remains the top attack vector, and 92.3% of attacks on the financial industry in Asia Pacific and Japan target banks, posing a huge threat to financial institutions and their customers.

As financial services firms in Asia Pacific and Japan expand into more channels and provide better customer experiences, their use of third-party scripts is increasing, in fact, reaching 40% of the total scripts used. These data points indicate that as businesses, especially banks and consumer-centric institutions, continue to expand their digital footprint to reach more customers and gain competitive advantage, they are also facing serious risks.

“The financial services industry in APJ is one of the most innovative and competitive in the world,” said Reuben Koh, Director of Security Technology and Strategy, APJ, Akamai. “Financial institutions are increasingly turning to third-party scripts to quickly add new products, features, and interactive experiences for their customers. However, organizations often have limited monitoring capabilities to identify the authenticity of these scripts and potential vulnerabilities, which introduces another layer of risk. With limited monitoring capabilities for risky third-party scripts, attackers now have another vector to exploit to attack banks and their customers.”

Akamai's report also found that malicious bot traffic in Asia Pacific and Japan has increased by 128% since 2022, highlighting the continued attacks on financial services customers and their data. Cybercriminals use bots to increase the scale, efficiency, and effectiveness of their attacks. Globally, Asia Pacific and Japan is the second largest target region for malicious bot requests against the financial services industry, accounting for 39.7% of all malicious bot requests worldwide. Application scenarios include scraping website content to impersonate financial services brand websites to implement phishing scams, and implementing credential stuffing attacks by automatically injecting stolen usernames and passwords to achieve account takeover. This shows that attackers are constantly evolving their techniques and are beginning to focus on attacking consumers in the financial services industry to obtain the greatest return on investment.

Other key findings from the report include:

Web applications and APIs continue to be the top attack vector for attackers in APJ, with the financial sector accounting for 50% of attacks, followed by business (19.99%) and social media (8.3%).

Australia, Singapore, and Japan are the top three countries in the APJ region that are attacked the most, collectively accounting for more than three-quarters of all web application and API attacks. As global financial hubs, it’s no surprise that businesses in these countries continue to be subject to large-scale targeted attacks.

Local file inclusion (LFI) remains the leading attack vector, accounting for 63.2% of all attacks, while cross-site scripting (XSS) and PHP injection (PHPi) rank second and third, accounting for 21.3% and 6.32% respectively. In an LFI attack, attackers exploit unsafe coding practices or actual vulnerabilities on a web server to remotely execute code or access sensitive information stored locally. For example, older PHP-based web servers are more vulnerable to LFI attacks because there are existing methods to bypass their input filters.

Businesses in the financial services industry in Asia Pacific and Japan must continue to be mindful of additional regulatory oversight and new reporting obligations. For example, the growing use of third-party scripts may make it difficult for financial institutions to comply with the upcoming Payment Card Industry Data Security Standard (PCI DSS) v4.0, which will include specific content related to client-side script monitoring capabilities and management. Regulators may become increasingly aggressive in enforcing new regulations, so businesses must ensure that they take these new compliance requirements into account or face fines or reputational damage.

“Financial services businesses in APJ must keep in mind that as the pace of innovation in the industry accelerates, cybercriminals are always trying to find new and more sophisticated ways to launch cyberattacks,” said Koh. “The growing number of financial services aggregators and businesses eager to adopt open banking practices means that the industry’s future development will rely more heavily on the use of APIs and third-party scripts, which will further expand the attack surface.”

He concluded: “Financial institutions must focus on protecting new digital products, continuously educate customers on cybersecurity best practices, and invest in frictionless security measures for users. As regulators implement policies to strengthen cybersecurity standards, financial services firms must also understand and consider new compliance requirements while strengthening their security posture and cyber resilience against modern cyber threats.”