Financial sector is seeing more credential stuffing than DDoS attacks

North American financial institutions and banks are targeted the most, primarily because most leaked credentials are from US services.

login password

The financial sector has seen more brute-force attacks and credential stuffing incidents than DDoS attacks in the past three years, F5's cyber-security unit said in a report published today.

F5 tabulated statistics about attacks carried out against banks, credit unions, brokers, insurance, and the wide range of organizations that serve them, such as payment processors and financial Software as a Service (Saas).

The report's findings dispel the notion that DDoS attacks are one of today's most prevalent threats against the financial vertical.

In reality, F5 says that brute force attacks, credential stuffing, and all the other account takeover (ATO) attacks have been a much bigger threat to the financial sector between 2017 and 2019. This includes all the ATO variations such as:

  • Brute-force attacks - attackers try common or weak username/passwords pairs (from a preset list) to brute-force their way into an account
  • Credential stuffing - attackers try username/password pairs leaked at other sites
  • Password spraying - attackers try the same password, but against different usernames
fi-incident-history.png

Image: F5

Some credential stuffing attacks look like DDoS

Per F5's statistics, in 2019, the number of DDoS attacks has gone up, but this number can be misleading since some brute-force & credential stuffing attacks are so aggressive and take place at such fast speeds that it's hard to tell them apart from actual DDoS attacks.

Brute-force and credential stuffing attacks are becoming more ferocious because the shelf life of leaked username and password combos is also getting shorter, as more threat groups are engaged in similar attacks.

Getting to a victim's banking account first often pushes some criminal gangs into turning up the volume and speed of their attacks, with some brute-forcing incidents generating as much traffic as a DDoS attack.

North American banks are targeted more

The connection between dumps of fresh usernames and passwords on the criminal underground and brute-force and credential dumping attacks against the financial sector is also visible in a graph showing the attacks' geographical distribution.

"We hypothesize that the prevalence of brute force and credential stuffing attacks in North America is driven largely by the enormous volume of existing breached credentials for North American users that has resulted from more than a decade of near-daily data breaches," F5 researchers said.

fi-incident-continets.png

Image: F5

The F5 report only analyzed the financial sector. However, at the global level, automated logins have been growing for a while. In 2018, Akamai reported that credential stuffing incidents were reaching DDoS proportions.

Exact numbers comparing the two attack types aren't yet available, though. However, in an email, F5 told ZDNet that they wouldn't be surprised if credential stuffing and other ATO attempts are now more common than DDoS.

"We would hazard a guess that credential abuse in its various forms for the purposes of account takeover is more prevalent than DDoS," F5 told ZDNet.

"But it's important to note that a) these attacks serve very different purposes for attackers and b) they pose different challenges in terms of detection. So it's a little bit apples to oranges, and a little bit apples to apples."