Cyberattackers are now increasingly targeting APIs, especially in the financial sector, according to content delivery network Akamai’s latest quarterly “State of the Internet” report.
It’s a reminder that third-party developers aren’t the only ones interested in using APIs. And it also highlights the need for security practices to be constantly evolving.
“If nothing else, financial services organizations should be aware of the shift to credential abuse targeting their APIs,” the report concludes, before warning “it isn’t just financial services; everyone is being targeted by criminals who use and abuse stolen credentials to fuel their criminal enterprises.”
Akamai is uniquely positioned to detect these trends. As recently as 2015, Reuters was estimating the company carried between 15% and 30% of all web traffic. The Cambridge, Massachusetts-based company has 275,000 servers in 136 countries and nearly 1,500 networks around the world, as part of its business as a widely-distributed content delivery network. And 83% of the traffic on the Akamai network is now API hits — dwarfing the amount of HTML traffic.
Drawing on data from two products — Identity Cloud and Enterprise Application Access — it looked at traffic to both REST and SOAP APIs.
“Across the last two years, across all of our vertical industries, we’ve seen 84.6 billion malicious login attempts. About 20% of those attacks are coming against the APIs rather than just against the web server itself,” Akamai Chief Strategy Officer Andy Ellis neatly summarized the results in a video highlighting the report.
Over nearly two years, from December of 2017 to November of 2019, Akamai spotted 16,557,875,875 “credential abuse” attacks which were targeting hostnames clearly identified as API endpoints. “This indicates a drastic shift away from general login pages to API logins by criminals,” he said.
Of those API attacks, there were 473,518,955 targeting financial services sites. Just on one day in 2018 — Jan. 25 — there were 113,324,322 such attacks, the single largest day. And from last May through October, attacks on the financial service sector often targeted APIs more than 75% of the time. About 74% of applications and services still grant access using the traditional username/password login, Akamai wrote in a TL;DR section.
The report notes that on one day in August, Akamai spotted 55,141,782 malicious login attempts on just one “well-known financial services firm” — part of the largest spike the company has ever seen in targeted login-abuse attacks against the financial industry.
One of the most interesting graphs calculates what percentage of each week’s attacks involved APIs from January 2018 to November 2019. Sure enough, it shows a sudden increase in the percentage of API attacks on the financial services sector between May and October of 2019 — at least once-rising as high as 87%. But at least half the time the plotted percentage appears double to the percentage of API attacks in all sectors (which are also plotted on the same graph).
Akamai suggests the spike was likely caused by “the flood of credential lists on the criminal market” (coupled with their obvious usefulness in identity fraud and financial theft). “Criminals are still buying, selling, and trading bank cards, financial credentials, compromised gift card balances, and online banking accounts at a rapid clip, because demand for such things remains high.”
Holes to Plug
Part of the problem is that some APIs have been developed with weak security, which makes them attractive targets for attackers. Akamai’s report points out one possible weakness: allowing an unlimited number of incorrect login attempts. “Criminals take advantage of the lack of limitation and process tens of thousands of credentials in minutes.”
Other APIs simply “throttle” the number of attempts, which still leaves open the possibility of brute-force attacks as long as they’re spread out over time, the report points out. And some error response messages even inadvertently validate the existence of login names, making it easier to for attackers then concentrate on those valid accounts.
But the danger of weak security practices becomes amplified when attackers can probe for these holes at scale. “API usage and widespread adoption have enabled criminals to automate their attacks,” the report warns. And one infographic warns that while the tactic is increasing in the financial services sector, “what works here may find its way to other industries.”
In an email to VentureBeat, Akamai explained some of the advantages of automation: criminals “use bots and tools that allow threading, or multiple simultaneous connections, to attempt multiple logins at once.” And by targeting APIs, “they hope to avoid some front-end defenses and speed up their validation times.” A recent article at CSO Online summarized some of the convenience that APIs provide — to cyberattackers. “[R]equesting and extracting information through APIs are standardized and well suited for automation. After all, the very purpose of an API is to facilitate applications talking to each other and exchanging data automatically.”
There may also be a regulatory factor that’s pushing the popularity of APIs: the European Union’s Payments Services Directive (PSD2), which pushes for open banking and went into effect last September. “PSD2 requires banks and other financial institutions that hold customer accounts to make it possible for third-party services to check the availability of funds, initiate payments or access account data if the account owners give their consent. The most common way of complying with that request is through the development of web APIs.”
“Even if no similar regulatory requirements exist in non-EU countries, market forces are pushing financial institutions in the same direction since they need to innovate and keep up with the competition.”
Akamai’s report recommends Zero Trust as a way to mitigate some of the risks, citing the practices followed by both Amazon Web Services and Azure. “Both platforms are growing with their customers, and offering more customized solutions for network and service architecture, which includes Zero Trust models.” But it also argues that Zero Trust isn’t a silver bullet. “You can’t throw money at a problem, adopt lots of different technologies, and expect things to happen like magic — security doesn’t work that way. The most success with Zero Trust comes from embracing the concept and building your operations around it, which will include investments as needed…
“But evolving away from the notion of a perimeter defense is where the future is heading because the world as we know it is quickly expanding and connecting everyone.”
Amazon Web Services is a sponsor of The New Stack.