In this Expert Insight,Sam Crowther, CEO and founder, Kasada, argues that removing the ability to automate against a vulnerable API is critical to preventing bot-based attacks and data leaks.
The personal information of 37 million T-Mobile customers was recently stolen through one of its application programming interfaces (APIs). While T-Mobile is in the hot seat now, Twitter, Optus, Venmo, and others were also in the spotlight not too long ago.
API adoption is at its peak, according to a 2022 State of APIs Report, with 63% of respondents relying more on APIs in 2022 than the prior year, and 69% expecting to use even more APIs than they did in 2022. As the number continues to escalate due to the acceleration of cloud and microservices, protecting them has never been more challenging.
To effectively protect against API attacks, it is important to understand why they are a target and how they can be abused.
Why are APIs Prime Targets?
The explosion of APIs and the pace at which companies develop them is almost impossible to keep up with – and even harder to secure. APIs are prime attack targets because many security teams lack the capabilities to identify APIs comprehensively, much less patch them. A vulnerability in an API gives attackers access to the data underlying the service. And while it may be difficult for companies to find their unsecured vulnerabilities, motivated hackers don’t have difficulty identifying and exploiting them at all. Their secret weapon? Bots.
What Role do Bots Play in API Attacks?
Many companies are unaware of the critical role that malicious automation or bots (like the ones that buy up Taylor Swift tickets) play in API attacks. Threat actors use bots to mimic human behavior and perform various hacking techniques like credential stuffing to test logins and access accounts. Bots move more quickly than any human, achieve more in less time, and often are not detected. By combing through hundreds of thousands of proxy IP addresses and stolen credentials, attackers can quickly get an API mapped, identify a vulnerable target, and automate against the login to gain access. Once inside a company network, bots can extract sensitive information at scale like the data stolen from the 37 million T-Mobile accounts.
Bottom line: APIs cannot be protected adequately if bots are not detected and stopped. There are many elements to consider when protecting APIs. Removing the ability to automate against a vulnerable API is a huge step forward, as automation is a key enabler for both the exploitation and the extraction of large amounts of sensitive data.
How do Bots Conduct Fraud Attacks on APIs?
Modern bots look and act just like humans and can abuse APIs in a multitude of ways. Some of the techniques include disguising themselves with residential proxy networks, misusing developer tools such as Puppeteer and Playwright, leveraging anti-detect browsers, and using solver services (anti-bot bypasses available for sale as a service).
Residential Proxy Networks
Bots and human traffic can look surprisingly similar. By hiding behind residential proxies, cybercriminals can conceal their fraudulent activities by staying below detection thresholds. When activity is distributed across multiple anonymous proxy servers and IP addresses, malicious efforts are less likely to be noticed and traditional blocking techniques no longer work. Residential proxy networks have become increasingly inexpensive, and in some cases, free, making this approach accessible and cost-effective.
Browser Automation Frameworks Gone Bad
Among software developers, automated testing frameworks like Puppeteer and Playwright have become increasingly popular due to the ability to reduce the amount of manual labor required to test software applications. Unfortunately, they have also become the go-to solutions for creating human-like bots and the barrier to entry is low. With Google’s introduction of Recorder in Chrome 97, users can record and replay scripts for bots without writing a single line of code. This is rapidly becoming one of the most significant threats to online businesses.
The evolution of API-as-a-Service solver services has enabled thousands of bad actors to bypass the detection of most bot detection solutions. Solver services work by “solving” a bot detection’s defenses and allowing automated bot attacks to occur. When a cybercriminal figures out how to solve (bypass) a bot management system, this creates an opportunity. Rather than sell the technique or code for profit, the original “Solver” of the bypass creates a cloud service that fraudsters can subscribe to and use to circumvent the solution. Sold in the underground bot marketplace, little technical expertise is required to bypass bot management solutions, launch bot attacks and commit automated fraud.
How to Protect Your APIs
The pervasiveness of recent API security breaches has forced organizations to finally prioritize API security. However, most companies’ existing security stacks are ill-equipped to manage today’s API challenges. Many companies incorrectly assume that their current stack which may include WAFs, and API gateways can protect them from API attacks effectively. While these tools may succeed in preventing some attacks, they are often insufficient in preventing API breaches since they were developed for other purposes that don’t stop malicious automation.
As threat actors continue to innovate their attack methods, they multiply the destruction they cause by leveraging the power of bots. As companies reevaluate their cybersecurity stacks and focus on their API security strategies, it’s important to make sure that their bot defenses are proactive and dynamic so that it becomes too difficult and expensive for bad actors to continue attacking. To effectively stop API attacks, companies need a more holistic security approach that includes detecting and stopping modern bots.