Cequence Security released its first half 2022 report titled, “API Protection Report: Shadow APIs and API Abuse Explode.” Chief among the findings was approximately 5 billion (31%) malicious transactions targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, making this the top threat challenging the industry.
“The reality is the everyday luxuries we enjoy as consumers like ridesharing and food delivery services are built on APIs,” said Ameya Talwalkar, CEO, Cequence Security. “Our research found that the innovative ways companies can improve customer experiences are also the biggest threat to their security, customer trust and ultimately, their bottom line. These companies must rethink what is prioritized in their security strategy, starting with API protection.”
The report is based on an analysis of more than 20 billion API transactions observed over the first half of 2022 and seeks to highlight the top API threats plaguing organizations today.
Top threat #1: 31% of all malicious attacks target shadow APIs
Roughly 5 billion (31%) of the 16.7 billion malicious requests observed targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, spanned a wide range of use cases. From the highly volumetric sneaker bots attempting to grab the latest Dunks or Air Jordans to stealthy attackers attempting a slow trickle of card testing fraud on stolen credit cards to pure brute force credential stuffing campaigns. Driven by high-volume content scraping as a precursor to shopping bot and gift card attacks, attacks on shadow APIs surged in April 2022 and have continued to rise in volume throughout the year.
Top threat #2: API abuse
Based on 3.6 billion attacks blocked by the CQ Prime Threat Research team, the second largest API security threat mitigated during the first half of 2022 was API abuse, meaning attackers targeting properly coded and inventoried APIs. This finding highlights the need to use industry-standard lists like OWASP as a starting point, not an end goal. The most blocked attacks are indicative of the strategies attackers are using. These included:
- 3 billion shopping bots targeting sneakers or luxury goods
- 290 million gift card checking attacks
- The attempted creation of approximately 237 million fake accounts on popular dating and shopping applications
Top threat #3: The unholy trinity: Credential stuffing, shadow APIs & sensitive data exposure
Based on 100 million attacks, the combined use of API2 (Broken User Authentication), API3 (Excessive Data Exposure) and API9 (Improper Assets management) signifies two things: attackers are performing detailed analysis of how each API works, how they interact with each other, and the expected outcome and developers need to stay ever vigilant in following API coding best practices.
Account takeover mitigation saves $193 million
Highlighting the continued popularity of account takeovers (ATO), the CQ Prime Threat Research team helped customers mitigate roughly 1.17 billion malicious account login requests – all against APIs. The popularity of ATOs can be tied directly to their versatility, which has been amplified by the adoption of APIs for account logins and is shown throughout this report.
More importantly, the impact of an ATO on the business is significant, with each incident varying in cost from $290 (Juniper Research) and roughly 9 hours of investigative work to $311 (Federal Trade Commission). The mitigation efforts protected roughly 11.7 million accounts which equate to a savings of $193 million across all customers.
“Our analysis and findings are based on real attacks in the wild,” said William Glazier, Director of Threat Research at Cequence Security. “Our findings underscore the importance of IT and security leaders having a complete understanding of how correctly coded APIs, as well as those with errors, can be attacked. The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”
The report highlights the importance of understanding the tactics, techniques, and procedures (TTPs) attackers use to exploit risks and how attackers will react to resistance. This means not only making sure that APIs are not susceptible to the OWASP API Security Top 10 as a starting point but also looking at what can be defined as API10+, a category that encompasses the many different ways that a perfectly coded API might be abused.