In late July 2021, online retailers got hit with a jaw-dropping 2,800 percent increase in attack takeovers. Dead-set on gift card fraud via “scrape for resale” and other types of fraud, the attacks spiraled up to the rate of 700,000 attacks per day.
In a separate case – of a loan application fraud attack – the threat actors used the sub accounts feature on public email domains such as Gmail to create 3,000 email addresses, which were then used to submit roughly 45,000 fraudulent loan applications distributed across multiple IP addresses.
Both are examples of API attacks: attacks that prey on application programming interfaces (APIs) that “have become the glue that holds today’s apps together.” as Cequence SecurityHacker-in-Residence Jason Kent explained for Threatpost in his August 2021 InfoSec Insider article on the top 3 API security vulnerabilities and how cyberattackers use them to pwn apps.
“There’s an API to turn on the kitchen lights while still in bed. There’s an API to change the song playing on your house speakers. Whether the app is on your mobile device, entertainment system or garage door, APIs are what developers use to make applications function,” Kent wrote.
How API Glue Sticks
Kent explained that APIs are attractive to both developers and attackers because they can operate much like a URL might operate: “Typing ‘www.example[.]com’ into a web browser will elicit a response from example.com. Search for your favorite song and you will see the following in the URL bar: ‘www.example.com/search?{myfavoritesong},'” he wrote. “The page result is dynamically built to present you with your search findings.
“Your mobile banking app operates in the same manner, with the API grabbing your name, account number and account balance – and populating the fields in the pre-built pages accordingly. While APIs have similar characteristics to web applications, they are far more susceptible to attacks; they include the entire transaction, including any security checks, and are typically communicating directly to a back-end service.”
These issues aren’t new, he said: “In the late 1990s folks figured out that you could often drop a single quote ” ‘ ” into a search box or login field and the application would respond with a database error. Understanding SQL database syntax means that a vulnerable application was simply a wide-open application that one could potentially have total control over. And once found, SQL vulnerabilities were often attacked.”
History keeps repeating itself, but threat actors’ abuse of APIs keeps evolving. Cequence – which markets its API Security Platform – accordingly keeps tabs on trends in API abuse.
API Security Threat Report
Last week, Cequence released its “API Security Threat Report: Bots and Automated Attacks Explode,” revealing that both developers and attackers are head over heels in love with APIs, for better or worse. Of the 21.1 billion transactions analyzed by Cequence Security in the last half of 2021, 14 billion (70 percent) were API transactions, the firm said in a press release announcing the report (PDF).
Kent dropped in on the Threatpost podcast last week to talk about the following three attack trends that Cequence highlighted in its recent report:
- Gift card fraud, loan fraud and payment fraud, such as the two attacks on retailers described above.
- More sophisticated shopping bots, with bots-as-a-service (BaaS) allowing anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Bots drove the traffic to 36M (1200 percent) to 129M (4300 percent) above normal, with up to 86 percent of the transactions being malicious.
- The account takeover cat-and-mouse game. “Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic, to the polar opposite patter of low, slow and perfectly formed transactions,” according to Cequence.
Fending Off API Attacks
In our interview, Jason also offered advice for organizations to detect these API attacks, with an emphasis on machine-learning models.
But the most important element of defense is discovery, he stressed: “You have to know what you have. It’s the foundation and the basis of every security paradigm and program,” he said. “Knowing which APIs you have, we’re finding, is paramount for organizations.
“We see things like, they’ll move to Version 16 of their API. So their calls are slash new 16 slash login. But is 15 still on? Is 14 still on? Why am I still seeing traffic on one? Having that inventory of what’s functioning and what’s going on right now is becoming one of those things where organizations are seeing so much,” he said.
Seeing is believing. If your organization heeds his advice and delves into discovery, expect to see just how much attention threat actors are lavishing on APIs.
You can download the podcast below or listen here. For more podcasts, check out Threatpost’s podcast site.
As well, here’s a link to an article by Jason that he discusses in the podcast, entitled Gmail Farming and Credential Validation.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.