In a constantly changing threat landscape, cybercriminals are turning to APIs as their new favorite weapon to conduct account takeover (ATO) fraud because they provide direct access to valuable resources and functionality. API threats have become such an issue that OWASP just released their new 2023 Top 10 API Security Risks list to help draw attention to the areas organizations need to address.
Criminals have pivoted their ATO tactics to target APIs using malicious bots to conduct attacks ranging from credential stuffing and business logic abuse to DDoS attacks, all of which often result in application downtime, identity theft, and fraud. These attacks are easier than ever to orchestrate with readily available tools and are hard to detect with legacy bot defense techniques.
According to estimates from F5’s Office of the CTO, the number of APIs in production will increase exponentially over the next few years. By 2030 there could be anywhere from 500 million to more than 1.5 billion APIs in production. Unfortunately, this is great news for cybercriminals who continuously look to expand their targets.
Modern malicious bot attacks continue to evolve, causing legacy bot prevention tools to fail in sustaining their efficacy. This issue will likely get worse with regard to APIs since bot attacks are used to target APIs in a variety of new and different ways ranging from automating exploration scans to manipulating resources and business logic vulnerabilities to conducting credential stuffing and injection attacks.
API credential stuffing attacks are a great example of why traditional bot mitigation strategies leave you exposed. Some APIs provide authentication tokens after a username and password are submitted, similar to logging into a website. This token is typically used for all other requests made to the API. It’s a pattern common in APIs, especially older APIs, and it’s vulnerable to credential stuffing and password spraying attacks.
Differentiating between attackers and real customers is difficult because these types of targeted efforts bypass most traditional controls. Traditional security controls, such as basic web app firewalls (WAFs) and security information and event management (SIEM) systems, are not sufficient to identify and prevent bot attacks on APIs, in part because of the high amount of machine-to-machine, or API-to-API, traffic. Attacks can appear like normal app behavior on the surface, but behind the scenes APIs can be exploited and abused, allowing attackers to elude detection until it’s too late.
API security is a shared responsibility across the organization, heightening the need to be concerned with bot-driven attacks that lead to compromise and data breach, as well as those that impact uptime and reliability, for both legacy web apps and modern API fabrics.
When it comes to API security and protecting against unauthorized access via APIs, either through credential stuffing, brute force, or other forceful login attempt mechanisms, a sophisticated AI/ML engine can help by identifying failed login attempt activity or attempts to discover API parameters, and flagging those attempts for operations teams to review.
There are several ways that organizations should shore up their API security, including validating connections and access, monitoring and alerting on behavior over time, and helping to identify unusual client behavior to pinpoint potential areas of compromise.
You should explore having a centralized view of your API security posture to allow your organization to move quickly, identify potential issues within your API environment, drill down, investigate, and act as appropriate to neutralize any anomalies or threats that could impact connectivity, availability, or app and API security.
Learn more about how you can prevent account takeover attacks.