Attackers have come to love APIs as much as developers

Cequence Security released a report revealing that both developers and attackers have made the shift to APIs. Of the 21.1 billion transactions analyzed in the last half of 2021, 14 billion (70 percent) were API transactions.

After analyzing some of the most interesting bot attacks throughout 2021, it’s clear that attackers have come to love APIs just as much as developers.

“Name one department in your company that does not use APIs. APIs are absolutely critical to business operations across sectors from healthcare to retail to banking,” said Larry Link, President and CEO of Cequence Security.

“The bottom line is that enterprises will remain at a high risk of losing valuable data, customer loyalty and revenue until they invest adequate resources into securing their APIs. Attackers aren’t slowing down any time soon, and it’s time businesses match that rate of innovation.”

Notable attacks can be categorized into three key trends.

Attack trend one: Fraud comes in many forms

Gift card fraud, loan fraud and payment fraud

In late July, Cequence saw retail customers get hit with a 2800% increase in ATOs averaging 700K attacks per day with the end goal of committing multiple forms of gift card fraud in the form of “scrape for resale” or “steal to then purchase” goods.

When investigating a loan application fraud attack, attackers were seen using the sub accounts feature on public email domains such as Gmail to create 3,000 email addresses which were then used to submit multiple loan applications distributed across multiple IP addresses. The discovery uncovered roughly 45,000 fraudulent loan applications.

As for payment fraud, researchers uncovered threat actors targeting an API and making regularly spaced payment authorization calls from more than 20,000 phone numbers, all emanating from three zip codes and representing 5.1 percent of the overall payment traffic. The CQ Prime threat research team analyzed the circumstances and shut down the attack before payment fraud was successful.

Attack trend two: Shopping bots get more sophisticated

Enter Bots-as-a-Service (BaaS)

Bots-as-a-service (BaaS) allows anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Cequence retail customers often perform short duration hype sales, which typically generate approximately 3M transactions over the typical product launch lasting a few hours. Bots drove the traffic to 36M (1200%) to 129M (4300%) above normal with up to 86 percent of the transactions being malicious.

Attack trend three: The account takeover cat-and-mouse game

The CQ Prime Threat Research Team helped a retail customer fend off a series of attacks over a three-month period that typified the extent to which attackers will modify their efforts in order to achieve success. Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic to the polar opposite patter of low, slow and perfectly formed transactions.