In the wake of the massive Capital One data breach, many IT and security experts are paying close attention to the risks posed to the financial industry, and with good reason: Cybercriminals launched 3.5 billion credential stuffing attack attempts during the 18 months from November 2017 to April 2019, according to Akamai’s latest State of the Internet / Security report, released Wednesday.

The financial services sector represents 50% of all organizations impacted by phishing domains, the report found, putting the personal data and banking information of customers at risk. Nearly 200,000 phishing domains were discovered between 2018 and 2019, and of those domains, 66% directly targeted customers, the report found.

SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” Martin McKeay, a security researcher at Akamai and editorial director of the report, said in a press release. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”

After cybercriminals succeed in stealing user data, they often create “bank drops,” or packages of information—including a person’s name, address, date of birth, social security number, driver’s license number, and credit score—that can be used to fraudulently open an account at a given bank.

Most of the methods hackers are using to do this are not new. Some 94% of observed attacks against financial services organizations come from one of four methods, according to the report: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection. OGNL Java Injection accounted for more than 8 million attempts during the study period, and continues to be popular among attacks years after patches have been released, the report noted.

DDoS attacks are another way cybercriminals create a distraction to proceed with more nefarious business, such as credential stuffing attacks or exploiting a web-based vulnerability, Akamai found. More than 800 DDoS attacks against the financial service industry were observed in the 18 months studied for the report.

“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” McKeay said in the release. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail.”

For more, check out Online security 101: Tips for protecting your privacy from hackers and spies on our sister site ZDNet.

Also see

Image: iStockphoto/gutaper