searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Help Net Security
Help Net Security
October 7, 2022
Share

Shadow APIs hit with 5 billion malicious requests

Cequence Security released its first half 2022 report titled, “API Protection Report: Shadow APIs and API Abuse Explode.” Chief among the findings was approximately 5 billion (31%) malicious transactions targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, making this the top threat challenging the industry.

shadow APIs top threat

“The reality is the everyday luxuries we enjoy as consumers like ridesharing and food delivery services are built on APIs,” said Ameya Talwalkar, CEO, Cequence Security. “Our research found that the innovative ways companies can improve customer experiences are also the biggest threat to their security, customer trust and ultimately, their bottom line. These companies must rethink what is prioritized in their security strategy, starting with API protection.”

The report is based on an analysis of more than 20 billion API transactions observed over the first half of 2022 and seeks to highlight the top API threats plaguing organizations today.

Top threat #1: 31% of all malicious attacks target shadow APIs

Roughly 5 billion (31%) of the 16.7 billion malicious requests observed targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, spanned a wide range of use cases. From the highly volumetric sneaker bots attempting to grab the latest Dunks or Air Jordans to stealthy attackers attempting a slow trickle of card testing fraud on stolen credit cards to pure brute force credential stuffing campaigns. Driven by high-volume content scraping as a precursor to shopping bot and gift card attacks, attacks on shadow APIs surged in April 2022 and have continued to rise in volume throughout the year.

Top threat #2: API abuse

Based on 3.6 billion attacks blocked by the CQ Prime Threat Research team, the second largest API security threat mitigated during the first half of 2022 was API abuse, meaning attackers targeting properly coded and inventoried APIs. This finding highlights the need to use industry-standard lists like OWASP as a starting point, not an end goal. The most blocked attacks are indicative of the strategies attackers are using. These included:

  • 3 billion shopping bots targeting sneakers or luxury goods
  • 290 million gift card checking attacks
  • The attempted creation of approximately 237 million fake accounts on popular dating and shopping applications

Top threat #3: The unholy trinity: Credential stuffing, shadow APIs & sensitive data exposure

Based on 100 million attacks, the combined use of API2 (Broken User Authentication), API3 (Excessive Data Exposure) and API9 (Improper Assets management) signifies two things: attackers are performing detailed analysis of how each API works, how they interact with each other, and the expected outcome and developers need to stay ever vigilant in following API coding best practices.

Account takeover mitigation saves $193 million

Highlighting the continued popularity of account takeovers (ATO), the CQ Prime Threat Research team helped customers mitigate roughly 1.17 billion malicious account login requests – all against APIs. The popularity of ATOs can be tied directly to their versatility, which has been amplified by the adoption of APIs for account logins and is shown throughout this report.

More importantly, the impact of an ATO on the business is significant, with each incident varying in cost from $290 (Juniper Research) and roughly 9 hours of investigative work to $311 (Federal Trade Commission). The mitigation efforts protected roughly 11.7 million accounts which equate to a savings of $193 million across all customers.

“Our analysis and findings are based on real attacks in the wild,” said William Glazier, Director of Threat Research at Cequence Security. “Our findings underscore the importance of IT and security leaders having a complete understanding of how correctly coded APIs, as well as those with errors, can be attacked. The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”

The report highlights the importance of understanding the tactics, techniques, and procedures (TTPs) attackers use to exploit risks and how attackers will react to resistance. This means not only making sure that APIs are not susceptible to the OWASP API Security Top 10 as a starting point but also looking at what can be defined as API10+, a category that encompasses the many different ways that a perfectly coded API might be abused.

More about
  • account hijacking
  • API security
  • Cequence Security
  • fraud
  • report
  • threats
Share this

Featured news

  • Overcoming obstacles to introduce zero-trust security in established systems
  • Leveraging network automation to enhance network security
  • Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)
Guide: Aligning your security program with the NIST CSF

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Overcoming obstacles to introduce zero-trust security in established systems

Leveraging network automation to enhance network security

Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)

3CX customers targeted via trojanized desktop app

The rise of biometrics and decentralized identity is a game-changer for identity verification

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us