There’s been a meteoric rise in bots and automated attacks as cybercriminals exploit APIs to commit fraud. Shreyans Mehta, CTO, at Cequence Security reveals some of the attacks suffered by retailers and how the sector can defend against them.
Underpinning digital interactions over mobile and in the cloud, Application Programming Interfaces (APIs) are rapidly becoming the lifeblood of modern commerce. They’ve replaced web-based applications and now carry approximately 70 percent of transaction traffic.
A staple in the developer’s toolkit, they enable commands and features to be cherry-picked without the need to code from scratch and facilitate the rapid deployment of micro services and cloud-native applications. They’re loved by developers but also by attackers because they are hard to track and easy to attack. To make matters worse, up to half of those pushed through production are known to have vulnerable code, according to a survey by Veracode and ESG. But, irrespective of whether they are securely coded or not, they’re now a prime target, with 90 percent of all malicious traffic now focused on APIs.
APIs are all inclusive, meaning they transmit everything that is needed to execute the intended function, which makes them ideally suited for automated attacks. One of the most use cases is Account Take Over (ATO). This sees the attacker target a login API to gain control over a legitimate user account. Traditionally, this involved somewhat randomcredential stuffing, but ATO has now been refined to use specific names and passwords, making it harder to detect and more successful. Last year we saw some retail customers seean increase of 2800 percent in ATOs, averaging 700,000 attacks per day, with the intention to commit payment, loanand gift card fraud.
Mass fraud
Gift card fraud can be carried out in a variety of ways. Following ATO, the attacker might request the gift card balance from the profile API serving the account before either selling on this information or they maxing out the account by buying goods. But we’ve also seen attackers target loyalty scheme in order to use the loyalty points to buy gift cards.
Attackers using bots to automate the checkout process have the advantage of being able to cycle through (enumerate) possible gift card numbers against a dedicated API. They are then able to apply any valid numbers they find before completing purchase. In one case we found a retailer that would have lost in excess of £150k had the enumerationattack they were subjected to over 30 days not been thwarted.
In contrast to gift card theft, loan fraud tends to executed over a much longer time frame. In one such attack we saw the sub-account feature of Gmail abused and used to create 3,000 email addresses that were then used to make 45,000 fraudulent loan applications. On another occasion, attackers targeted an API by making payment authorisation calls from 20,000 phone numbers. The activity was missed by bot prevention tools and was only picked up by correlating the call patterns and billing request timeframes.
Shop bots
Another prime area where automation is being used is scalping, whereby high demand items are acquired using bots. This has seen the emergence of Bots-as-a-Service, commercialising and widening the availability of bots and these are now being used to target flash sales such as Black Friday.
Bot managers will check inventory API to find out when items will be made available and pre-load shopping carts across multiple email accounts. They may also seek to use one-click purchase APIs commonly used by ApplePay or Paypal, for example, to expedite purchases.
One retailer that holds three-hour flash sales on a regular basis, typically generating between one and three million transactions per hour, saw traffic spikes range between 12 to 43 times higher last year, and 86 percent of the transactions were found to be malicious. This may not sound dangerous, as the sales are genuine, but this type of activity can overburden Fraud and IT teams, skew marketing efforts, and lead to bad publicity, making shopping bots bad for business.
Fighting back
So why are retailers finding it so hard to defend against these attacks? Spikes in traffic are a dead giveaway but knowing when to throttle traffic can be difficult.
Last summer we saw a retailer hit with series of attacks over a three-month period that saw traffic surge, peaking at 57 times that they would normally see over their networks, as the attacker sought to scam their loyalty and gift card programs. But in between times, traffic volumes returned to normal. This deliberate fluctuation attempts to lull systems into a false sense of security and gives attackers the opportunity to retool if they encounter restrictions or are blocked.
Many of the network security tools at the retailers’ disposal, such as web security tools and first-generation API security tools, and even botnet detection solutions as we’ve heard, tend to be ineffective when defending against these automated attacks so they come under the radar. The other problem is that APIs are so numerous and have been deployed so rapidly, that retailers just don’t know they’re there. We found only 16 percent of large international businesses used an automated tool to track and inventorise their APIs, making it difficult for security teams to secure these.
Yet there’s also an element of needing to fight fire with fire. Security and API management need to be equipped with AI machine learning technology to outthink and outsmart. This can continuously analyse transactions to create a behavioural fingerprint for the retailer and takes into account network actions, tools, attacker tactics and infrastructure, and user credentials, for instance, enabling the technology to correlateseemingly unrelated activities and spot and block malicious attempts.
To find out more about the rise in bots and automated attacks, see the Cequence API Security Threat Report 2022.