Facilitating rapid and efficient digital communication between devices, Application Programming Interfaces (APIs) have become a critical part of modern commerce. In the past few years, they have rapidly replaced web-based applications and currently carry approximately 70% of all transaction traffic.

APIs appeal to software developers as they allow commands and features to be cherry-picked without the need to write code from scratch. This, in turn, facilitates the rapid deployment of micro services and cloud-native applications.

An attractive target

Unfortunately, APIs are also loved by cybercriminals because they are hard to track and easy to attack. To make matters worse, a recent survey[1] found up to half of those pushed through production are known to have vulnerable code. However, irrespective of whether they are securely coded or not, APIs are now a prime target, with 90% of all malicious traffic now focused on them.

APIs are all inclusive, meaning they transmit everything that is needed to execute the intended function, which makes them ideally suited for automated attacks. One of the most use cases is Account Take Over (ATO). This sees the attacker target a login API to gain control over a legitimate user account.

Traditionally, this involved somewhat random credential stuffing, but ATO has now been refined to use specific names and passwords, making it harder to detect and more successful. Last year some retail customers saw an increase of 2800% in ATOs, averaging 700,000 attacks per day, with the intention to commit payment, loan and gift card fraud. 

The rising tide of gift card and loan fraud

Gift card fraud can be carried out in a variety of ways. Following ATO, an attacker might request the gift card balance from the profile API serving the account before either selling on this information or maxing out the account by buying goods.

Attackers using bots to automate the checkout process have the advantage of being able to cycle through (enumerate) possible gift card numbers against a dedicated API. They are then able to apply any valid numbers they find before completing purchase. In one case it was found a retailer that would have lost more than $300,000 had the enumeration attack they were subjected to over 30 days not been thwarted.

In contrast to gift card theft, loan fraud tends to be executed over a much longer time frame. In one such attack we saw the sub-account feature of Gmail abused and used to create 3,000 email addresses that were then used to make 45,000 fraudulent loan applications. On another occasion, attackers targeted an API by making payment authorisation calls from 20,000 phone numbers. The activity was missed by bot prevention tools and was only picked up by correlating the call patterns and billing request timeframes.

The rise of the bots

Another prime area where automation is being used is scalping, whereby high demand items are acquired using bots. This has seen the emergence of Bots-as-a-Service, commercialising and widening the availability of bots and these are now being used to target flash sales such as Black Friday.

Bot managers will check inventory API to find out when items will be made available and pre-load shopping carts across multiple email accounts. They may also seek to use one-click purchase APIs commonly used by ApplePay or PayPal, for example, to expedite purchases.

One retailer that holds three-hour flash sales on a regular basis, typically generating between one and three million transactions per hour, saw traffic spikes range between 12 to 43 times higher last year, and 86% of the transactions were found to be malicious. This may not sound dangerous, as the sales are genuine, but this type of activity can overburden Fraud and IT teams, skew marketing efforts, and lead to bad publicity, making shopping bots bad for business.

The challenge of defence

So why are retailers finding it so hard to defend against these attacks? Spikes in traffic are a dead giveaway but knowing when to throttle traffic can be difficult.

Last year, one retailer was hit with series of attacks over a three-month period that saw traffic surge, peaking at 57 times that they would normally see over its networks, as the attacker sought to scam their loyalty and gift card programs. But in between times, traffic volumes returned to normal. This deliberate fluctuation attempts to lull systems into a false sense of security and gives attackers the opportunity to retool if they encounter restrictions or are blocked.

Many of the network security tools at the retailers’ disposal, such as web security tools and first-generation API security tools, and even botnet detection solutions as we’ve heard, tend to be ineffective when defending against these automated attacks so they come under the radar.  The other problem is that APIs are so numerous and have been deployed so rapidly, that retailers just don’t know they’re there. We found only 16% of large international businesses used an automated tool to track their APIs, making it difficult for security teams to secure these.

Increasingly, security teams are turning to AI-powered tools in their fight to improve levels of API security. These tools can scan large volumes of network traffic and spot activity that is likely to be an indicator of criminal activity.

As the capabilities of AI continue to be improved, the ability of teams to thwart attacks and protect backend systems will be improved. This means that APIs will be able to continue to provide the interconnections that have become so critical for commerce around the world.

Glen Maloney is country lead for Australia and New Zealand at Cequence Security.

[1] https://www.techtarget.com/searchsecurity/feature/API-security-strategies-must-evolve-to-include-API-protection