According to a new Cequence Security analysis, bots and automated attacks have increased, with attackers and developers alike falling in love with APIs. Jason Kent, our resident hacker, shares the latest.
Online stores were struck with a staggering 2,800 percent rise in assault takeovers in late July 2021. The attacks escalated up to a rate of 700,000 attacks per day, focused on gift card fraud via “scrape for resale” and other sorts of theft.
The threat actors leveraged the sub accounts functionality on public email domains like Gmail to generate 3,000 email addresses, which were subsequently used to submit around 45,000 fake loan applications scattered over numerous IP addresses in a second case involving a loan application fraud attack.
Both are examples of API attacks, which prey on application programming interfaces (APIs), which “have become the glue that holds today’s apps together,” according to Cequence SecurityHacker-in-Residence Jason Kent’s August 2021 InfoSec Insider article on the top 3 API security vulnerabilities and how cyberattackers use them to pwn apps.
“It’s possible to turn on the kitchen lights while remaining in bed using an API.” There is an API that allows you to modify the song that is playing on your home speakers. APIs are what developers use to make apps work, whether they’re on your mobile device, entertainment system, or garage door,” Kent stated.
How Does API Glue Work?
APIs are appealing to both developers and attackers, according to Kent, because they can function similarly to a URL: “If you type ‘www.example[.]com’ into a web browser, example.com will respond. “If you type www.example.com/search?myfavoritesong into the URL bar, you’ll see the following,” he wrote. “The page result is dynamically constructed to present you with the results of your search.”
“In the same way, your mobile banking app works, with the API taking your name, account number, and account balance – and populating the fields in the pre-built pages accordingly.” While APIs are similar to web apps in that they include the full transaction, including any security checks, and often communicate directly with a back-end service, they are significantly more vulnerable to attacks.”
“In the late 1990s, folks worked out that if you dropped a single quote “‘” into a search box or login field, the application would typically respond with a database error,” he said. Understanding SQL database terminology means that a vulnerable programme was just a wide-open application that could be controlled completely. And once discovered, SQL flaws were often exploited.”
Threat actors’ abuse of APIs continues to evolve, despite the fact that history repeats itself. Cequence, which advertises its API Security Platform, maintains a close eye on API abuse trends.
Report on API Security Threats
Cequence released its “API Security Threat Report: Bots and Automated Attacks Explode” last week, demonstrating that APIs are in love with both developers and attackers, for better or worse. Cequence Security noted in a press release announcing the report that 14 billion (70 percent) of the 21.1 billion transactions reviewed in the second half of 2021 were API transactions (PDF).
Last week, Kent appeared on the Threatpost podcast to discuss the three threat themes identified by Cequence in its recent report:
Gift card fraud, loan fraud, and payment fraud, such as the two attacks on stores outlined above, are all examples of these types of crimes.
Bots-as-a-service (BaaS) allows anyone to buy, rent, and subscribe to a network of malicious bots and use it to obtain high-demand commodities, enabling for more sophisticated shopping bots. Bots increased traffic by 36 million (1200 percent) to 129 million (4300 percent), with 86 percent of the transactions being harmful.
The cat-and-mouse game of account takeover. According to Cequence, “attack patterns shifted from huge in nature, with malicious ATOs accounting for 80% of login traffic, to the polar opposite patter of low, sluggish, and well structured transactions.”
Defending Against API Attacks
Jason also gave advise to corporations on how to detect API assaults, with a focus on machine-learning models, in our conversation.
“You have to know what you have,” he said, emphasising that discovery is the most crucial aspect of defence. “Every security paradigm and programme is built on this foundation,” he stated. “We’re finding that knowing which APIs you have is critical for enterprises.”
“We’re seeing stuff like them moving to API Version 16.” As a result, their phone numbers are slash new 16 slash login. Is 15, however, still on? Is episode 14 still on? Why is it that I’m still seeing traffic on one of them?
“Having that inventory of what’s working and what’s going on right now is one of those things where corporations are seeing a lot,” he added.
It is only by seeing that one can believe. If your company follows his advise and conducts research, you’ll be surprised at how much attention threat actors pay to APIs.