Akamai Technologies has published the Akamai 2020 State of Internet / Security: Hostile Takeover Attempts report which revealed that from May 2019 till this day there is a shift in mode of attack from cyber criminals who started attacking APIs. In this report, the application programming interfaces, or APIs, that criminal targeted with credential stuffing attacks using REST and SOAP to access resources. This includes account summary pages with personal information, account records, and balances, as well as other tools or services within the platform. This was done in an effort to bypass all security controls.
From December 2017 through November 2019, Akamai observed 85,422,079,109 credential abuse attacks across our customer base. Nearly 20%, or 16,557,875,875, were against hostnames that were clearly identified as API endpoints. The number of malicious logins against financial services almost tripled from 2018 to 2019.
Of these, 473,518,955 attacked organizations in the financial services industry. Some organizations use less obvious paths and names for their APIs, but for our purposes, there were clearly identifiable endpoints we deemed sufficient.
Figure 1 shows daily malicious logins, with the obvious API endpoints highlighted. The top graph shows all verticals, while the bottom graph is focused solely on financial services. The rate of malicious logins against APIs in the financial services sector increased significantly starting in May of 2019.
Reason of Increase in API attacks
- The cause of this growth can likely be attributed to the flood of credential lists on the criminal market, and the fact that data from the financial services industry is worth a considerable amount to criminals.
- Shifting mainly in credential abuse to API pages, signaling significant targeting of those API logins.
- API usage and widespread adoption have enabled criminals to automate their attacks. This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments.
- Criminals leverage APIs to validate their lists and confirm that a username actually exists on a service. Depending on how the application or platform was developed, the error responses can be used to sort and validate lists, which enables a higher degree of targeting.
- Criminals take advantage of the lack of limitation and process tens of thousands of credentials in minutes. For APIs that are throttled, criminals use threading; taking a low and slow approach to achieve their goals says the report.
“Criminals targeting the financial services industry pay close attention to the defences used by these organizations , and adjust their attack patterns accordingly,” said Akamai security researcher and principal author of the state of the Internet/ Security report Steve Ragan.
(Image Courtesy: www.computerweekly.com)