Cequence Security Report Reveals Top 3 API Attack Trends, Expert Weighs In

By   ISBuzz Team
Writer , Information Security Buzz | Mar 17, 2022 06:36 am PST

Cequence Security, the industry leader in API security, today released its “API Security Threat Report: Bots and Automated Attacks Explode,” revealing that both developers and attackers have made the shift to APIs. Of the 21.1 billion transactions analyzed by Cequence Security in the last half of 2021, 14 billion (70 percent) were API transactions.

Three attack trends they discuss:

Attack Trend One: Fraud Comes in Many Forms – Gift Card Fraud, Loan Fraud and Payment Fraud
In late July, Cequence saw retail customers get hit with a 2800% increase in ATOs averaging 700K attacks per day with the end goal of committing multiple forms of gift card fraud in the form of “scrape for resale” or “steal to then purchase” goods.

Attack Trend Two: Shopping Bots Get More Sophisticated Enter Bots-as-a-Service (BaaS)
Bots-as-a-service (BaaS) allows anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Bots drove the traffic to 36M (1200%) to 129M (4300%) above normal with up to 86 percent of the transactions being malicious.

Attack Trend Three: The Account Takeover Cat-and-Mouse Game
Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic to the polar opposite patter of low, slow and perfectly formed transactions.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
David Stewart
March 17, 2022 2:36 pm

The Cequence report is a wonderful exposé of the extent to which API traffic is automated in order to execute a myriad of frauds and other API abuse vectors. Traditional defenses fail to pick up all but the most clumsy automation attempts for the very simple reason that they are not able to distinguish genuine remote client (web app and mobile app) requests from automated (bot and scripted) requests.

If there is a way to game your business, someone will do it. It is therefore essential that all enterprises employ a security layer specifically designed to positively establish that each API request is coming directly from a genuine and unmanipulated remote client instance. Only then can automated traffic be blocked at source.

Last edited 2 years ago by David Stewart

Recent Posts

Would love your thoughts, please comment.x