More Than 30% of All Malicious Attacks Target Shadow APIs

Velotix Mentioned as a Sample Vendor in the Gartner Hype Cycle for Data Security, 2023

Cequence Logo

New Research Spotlights How Attackers are Capitalizing on API-Driven Innovation

Cequence Security, the leading provider of Unified API Protection, released its first half 2022 report titled, “API Protection Report: Shadow APIs and API Abuse Explode.” Chief among the findings was approximately 5 billion (31%) malicious transactions targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, making this the top threat challenging the industry.

“The reality is the everyday luxuries we enjoy as consumers like ridesharing and food delivery services are built on APIs,” said Ameya Talwalkar, CEO and founder, Cequence Security. “Our research found that the innovative ways companies can improve customer experiences are also the biggest threat to their security, customer trust and ultimately, their bottom line. These companies must rethink what is prioritized in their security strategy, starting with API protection.”

Developed by the CQ Prime Threat Research team, the report is based on an analysis of more than 20 billion API transactions observed over the first half of 2022 and seeks to highlight the top API threats plaguing organizations today.

Marketing Technology News: dbt Labs Announces Key Details of Coalesce 2022 Conference for Analytics Engineering

Top Threat #1: Shadow APIs Hit with 5 Billion Malicious Requests

Roughly 5 billion (31%) of the 16.7 billion malicious requests observed targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, spanned a wide range of use cases. From the highly volumetric sneaker bots attempting to grab the latest Dunks or Air Jordans to stealthy attackers attempting a slow trickle of card testing fraud on stolen credit cards to pure brute force credential stuffing campaigns. Driven by high-volume content scraping as a precursor to shopping bot and gift card attacks, attacks on shadow APIs surged in April 2022 and have continued to rise in volume throughout the year.

Top Threat #2: API Abuse

Based on 3.6 billion attacks blocked by the CQ Prime Threat Research team, the second largest API security threat mitigated during the first half of 2022 was API abuse, meaning attackers targeting properly coded and inventoried APIs. This finding highlights the need to use industry-standard lists like OWASP as a starting point, not an end goal. The most blocked attacks are indicative of the strategies attackers are using. These included:

  • 3 billion shopping bots targeting sneakers or luxury goods
  • 290 million gift card checking attacks
  • The attempted creation of approximately 237 million fake accounts on popular dating and shopping applications

Top Threat #3: The Unholy Trinity: Credential Stuffing, Shadow APIs & Sensitive Data Exposure

Based on 100 million attacks, the combined use of API2 (Broken User Authentication), API3 (Excessive Data Exposure) and API9 (Improper Assets management) signifies two things: attackers are performing detailed analysis of how each API works, how they interact with each other, and the expected outcome and developers need to stay ever vigilant in following API coding best practices.

Account Takeover Mitigation Saves $193 Million

Highlighting the continued popularity of account takeovers (ATO), the CQ Prime Threat Research team helped customers mitigate roughly 1.17 billion malicious account login requests – all against APIs. The popularity of ATOs can be tied directly to their versatility, which has been amplified by the adoption of APIs for account logins and is shown throughout this report. More importantly, the impact of an ATO on the business is significant, with each incident varying in cost from $290 (Juniper Research) and roughly 9 hours of investigative work to $311 (Federal Trade Commission). The mitigation efforts protected roughly 11.7 million accounts which equate to a savings of $193 million across all customers.

“Our analysis and findings are based on real attacks in the wild,” said William Glazier, Director of Threat Research at Cequence Security. “Our findings underscore the importance of IT and security leaders having a complete understanding of how correctly coded APIs, as well as those with errors, can be attacked. The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”

Marketing Technology News: MarTech Interview with Peter (P.H.) Mullen, Chief Marketing Officer at Interactions

Picture of Business Wire

Business Wire

For more than 50 years, Business Wire has been the global leader in press release distribution and regulatory disclosure.

You Might Also Like