After collecting and analyzing data from F500 financial services, retail and telecom organizations, and of the most interesting bot attacks throughout 2021, it’s clear that attackers have come to love application programming interfaces (APIs) just as much as developers, a new Cequence Security API Security Threat Report: Bots and Automated Attacks Explode found.

The analysis revealed three attack trends in API security:

Attack Trend One: Fraud Comes in Many Forms — Gift Card Fraud, Loan Fraud and Payment Fraud

In late July, retail users got hit with a 2800% increase in account takeovers (ATOs), averaging 700,000 attacks per day with the end goal of committing multiple forms of gift card fraud in the form of “scrape for resale” or “steal to then purchase” goods.

In addition, when investigating a loan application fraud attack, security researchers saw that attackers were using the sub-accounts feature on public email domains such as Gmail to create 3,000 email addresses which were then used to submit multiple loan applications distributed across various IP addresses. The discovery uncovered roughly 45,000 fraudulent loan applications.

As for payment fraud, researchers uncovered threat actors targeting an API and making regularly spaced payment authorization calls from more than 20,000 phone numbers, all emanating from three zip codes and representing 5.1% of the overall payment traffic. 

Attack Trend Two: Shopping Bots Get More Sophisticated — Enter Bots-as-a-Service (BaaS)

Bots-as-a-service (BaaS) allows anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Retail users often perform short hype sales, typically generating approximately 3M transactions over the typical product launch lasting a few hours. Bots drove the traffic from 36M (1200%) to 129M (4300%) above normal, with up to 86% of the transactions being malicious.

Attack Trend Three: The Account Takeover Cat-and-Mouse Game 

The CQ Prime Threat Research Team helped a retail customer fend off a series of attacks over three months that typified the extent to which attackers will modify their efforts to achieve success. Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic to the polar opposite patter of low, slow and perfectly formed transactions.

API attack traffic has increased nearly 700% over the past 12 months, according to the State of API Security Report Q1 2022 – more than double the amount of regular API traffic. “Complicating this is the fact that APIs, by definition, touch practically everyone in an organization and can be owned by different teams. In addition, there can be multiple types of APIs within one organization, which makes managing security a challenge,”  says Michael Isbitski, Technical Evangelist at Salt Security.

Isbitski suggests security teams need to start with a shift in mindset that understands that API security is intrinsic to API usage and management. For adequate risk management, security teams and their organizations must “build API security into the entire process and pipeline and gain cross-functional support as a program across the enterprise. That means it needs to be its own program, with its own training and management.” 

The full report can be accessed here.