• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

F5 Labs

Financial services organisations ‘increasingly prone to authentication and DDoS attacks’

960 640 Stuart O'Brien

Financial services organisations have experienced a significant increase in the number of authentication and distributed denial of service (DDoS) attacks over the past three years.

That’s according to research from F5 Labs, which says the opposite was true of web attacks, which were notably down during the same period.

The analysis, which examined customer security incident response (SIRT) data from 2017-2019, covered banks, credit unions, brokers, insurance, and the wide range of organisations that serve them, such as payment processors and financial Software as a Service (SaaS).

On average, brute force and credential stuffing constituted 41% of all attacks on financial services organisations over the full three-year period. The percentage of attacks grew from 37% in 2017 to a high point of 42% in 2019.

Brute force attacks involve a bad actor attempting large volumes of usernames and passwords against an authentication endpoint. Other forms of brute force attacks simply use common lists of default credential pairs (for example, admin/admin), commonly used passwords, or even randomly generated password strings.

Occasionally, brute force attacks leverage credentials that have been obtained from other breaches. These are then used to target the service in an attack known as “credential stuffing.” 

Delving deeper, F5’s SIRT team found that there were clear regional variations in attack trends. In EMEA, brute force and credential stuffing attacks only amounted to 20% of the total, which is higher than the 15% observed in Asia Pacific but significantly lower than North America’s 64%. The latter is likely driven by a large volume of existing breached credentials.

“The first indications of an authentication attack are often customer complaints about account lockouts, rather than any sort of automated detection,” said Raymond Pompon, Director at F5 Labs.

“Early detection is key. If defenders can identify an increase in failed login attempts over a short period of time, it gives them a window of opportunity to act before customers are affected.”

DDoS attacks were the second biggest threat to financial services organisations, accounting for 32% of all reported incidents between 2017 and 2019. It is also the fastest growing threat. In 2017, 26% of attacks on financial services organisations focused on DDoS.  The figure soared to 42% in 2019.

Yet again there were distinct regional variations. 50% of all attacks reported in EMEA over the three-year period were DDoS-related. Asia Pacific was similarly affected with 55%, but the volume dropped to 22% in North America.

According to F5 Labs, denial-of-service attacks against financial service providers usually target either the core services used by customers (such as DNS) or the applications that allow users to access online services (i.e. viewing bills or applying for loans). Attacks are often sourced from all over the world, likely via the use of large botnets that are either rented out by attackers, or purpose-built from compromised machines.

“The ability to quickly identify the characteristics of traffic when under attack conditions is critically important. It is also vital to quickly enable in-depth logging for application services in order to identify unusual queries,” Pompon explained.

While authentication and DDoS attacks continue to spread, there was also a concurrent dip drop in web attacks against financial services organisations. In 2017 and 2018, they accounted for 11% of all incidents. In 2019, it was just 4%. 

“While it is difficult to determine causality, one likely factor driving this trend is the growing sophistication of properly implemented technical controls such as web application firewalls (WAFs),” said Pompon.

F5 Labs’ 2018 Application Protection Report found that a greater proportion of financial organisations tend to deploy WAFs (31%) than the average across all industries (26%).

Most of the web attacks recorded by the F5 SIRT centred on APIs, including those related to mobile authentication portals and Open Financial Exchange (OFX). Web scraping –copying content for the purpose of creating realistic phishing pages – was also in evidence. 

F5 Labs suggests that web attacks against financial services targets tend to be more persistent compared to other sectors – partly due to the cybercriminals’ precise targeting and the potential high value of success.

F5 Labs’ analysis concludes that, although the financial services industry tends to require less convincing about the merits of substantive security programs, there is no room for complacency.

“Despite the valuable assets at stake, it can still be a challenge to convince some organisations of the need for multifactor authentication, which probably represents the most impactful way to prevent nearly all access-style attacks like brute force, credential stuffing, and phishing,” said Pompon.

“Having said that, there is still a lot that can be done. On the preventative side this includes hardening APIs and implementing a vulnerability management program that features external scanning and regular patching. On the detective side, it is critical to continually monitor traffic for traces of brute force and credential stuffing. As ever, it is essential to develop, and regularly practice, procedures for incident response that address all risks.”

Vigilance urged for EMEA businesses as phishing season begins

960 640 Stuart O'Brien

Businesses in EMEA are being urged to remain vigilant as phishing attacks ramp up during the winter months.

F5 Labs, in collaboration with Webroot, has launched its second annual Phishing and Fraud report, highlighting an anticipated threat surge from October until January.

According the report, fraud incidents in October, November, and December tend to jump over 50% compared to the annual average.

Indicative of the scale of the problem, 75,6% of all websites taken offline by the F5 SOC platform between January 2014 and the end of 2017 were related to phishing attacks. This is followed by malicious scripts (11.3%) and URL redirects (5.2%), which are also used in conjunction with phishing operations. Mobile phishing (2%) was also identified as a growing issue.

“We’re in the middle of a cyber-crimewave where phishers and fraudsters take advantage of people at their most distracted,” said David Warburton, Senior EMEA Threat Research Evangelist, F5 Networks.

“It is prime season for individuals giving up credentials or inadvertently installing malware. Businesses are wrapping up end-of-year activities, key staff are on vacation, and record numbers of online holiday shoppers are searching for the best deals, looking for last-minute credit or feeling generous when charities come calling.”

Although phishing targets vary based on the nature of the scam, a remarkable 71% of attackers’ efforts from 1 September to 31 October 2018 focused on impersonating just ten organisations.

Technology companies were most mimicked (70% of incidents), with 58% of phishers’ time spent posing as big hitters like Microsoft, Google, Facebook, Apple, Adobe, Dropbox, and DocuSign during the monitored period.

The finance sector was also under fire. 13 of the top 20 fastest growing targets were financial organisations. Banks accounted for 55% of these, five of which were major European entities.

Notably, some of the most successful malware programs started out as banking malware. For example, Trickbot, Zeus, Dyre, Neverquest, Gozi, GozNym, Dridex, and Gootkit are all banking trojans known to have spread initially through phishing campaigns.

The Phishing and Fraud report stresses that the best first line of defence is a consistent education programme and creating a culture of curiosity. Tests by Webroot show that security awareness training can have a particularly ameliorative effect.

Companies that ran 11 or more training campaigns reduced employee phishing click-through rates to 13%. Six to ten sessions saw a 28% click-through rate, rising to 33% with one to five employee engagements.

In addition to awareness-raising, F5 Labs stresses the importance of organisations implementing access control protections, including multi-factor authentication and credential stuffing controls, to prevent phished credentials becoming a breach. Other report recommendations include the following defensive tactics:

  • Email labeling. Clearly label all mail from external sources to prevent spoofing. A simple, specially formatted message can alert users to be on guard.
  • Anti-virus (AV) software. AV software is a critical tool to implement on every system a user has access to. In most cases, up-to-date AV software will stop the malware installation attempt. Set your AV policy to update daily at a minimum.
  • Web Filtering. A web filtering solution helps block access to phishing sites. Not only will this prevent a breach (providing the phishing site is known by your web filter provider), but it presents a valuable teaching opportunity by displaying an error message to the user
  • Traffic decryption and inspection. F5 Labs analysed malware domains from Webroot that were active in September and October 2018. 68% of them were phoning-home over port 443, which is the standard TCP port used for websites encrypting communications over SSL/TLS. If organisations do not decrypt traffic beforeinspection, the malware installed through phishing attacks will go undetected inside the network.
  • Single-Sign On (SSO). The fewer credentials users manage, the less likely they are to share them across multiple applications, create weak passwords, and store them insecurely. 
  • Report phishing. Provide a means for employees to easily report suspected phishing. Some mail clients now have a built-in phish alert button to notify IT of suspicious activity. If your email client doesn’t have this feature, instruct all users to call the helpdesk or security team.
  • Change email addresses. Consider changing the email addresses of commonly targeted employees if they are receiving an unusually high number of phishing attacks on a continual basis.
  • Use CAPTCHAs. Use challenge-response technologies like CAPTCHA to distinguish humans from bots. However, users can find them annoying so use in cases where it’s highly likely a script is coming from a bot.
  • Access control reviews. Review access rights of employees regularly, especially those with access to critical systems. These employees should also be prioritised for phishing training.
  • Look out for newly-registered domain names. Phishing sites are often newly registered domains. When F5 reviewed the list of active malware and phishing domains collected by Webroot in September, only 62% were still active a week later.
  • Implement web fraud detection. Implement a web fraud solution that detects clients infected with malware. This stops cybercriminals logging into your systems and allowing fraudulent transactions to occur.

“Phishing is a big problem and we expect attacks to continue because they are so effective, especially during the winter period” added Warburton.

“As organisations get better at web application security, it will be easier for fraudsters to phish people than to find web exploits. Ultimately, there is no one-stop-shop security control for phishing and fraud. A comprehensive control framework that includes people, process, and technology is a critical requirement to reduce the risk of an attack becoming a major incident.”