Attacks on APIs can be mitigated with efficient bot management.

Speaking on a panel session moderated by Mark Schimmelbusch at the Akamai Edge Live virtual conference, Akamai engagement managers Jason Wood and Viktoriya Reyzelman said that the tools to enable attacks on APIs have evolved over the past few years, and are commonly low level and harder to detect.

Schimmelbusch explained that attackers often target the API as the goal to target entire organizations in these instances, not targeting single applications or a single channel. Reyzelman said Akamai saw two million credential abuse attempts in 30 days, and it was able to block 71,000. “You need to have bot management solutions in place to be actively monitoring and protecting,” she said.

Looking at gaming, Wood said Akamai had seen upwards of 100 billion credential stuffing attacks, and nine billion were against gaming. “Games rely on APIs, and most are core to functionality,” he said. “In one case we looked at a customer’s API traffic, and 50% of the customer traffic came from bots. You need to know why you’re attacked and have a multi-layered toolset to make the right decisions.”

The three speakers said the issue is not going away, while Schimmelbusch added that the motivation and potential for monetary gain are there. “I feel the threat of credential abuse of fraud is there also.” Reyzelman said 70% of retailers’ traffic is from bots, so it is critical to monitor proactively, as “bots are not something to forget about.”

Wood said he has had gaming customers reach out as they thought there were under a DDoS attack, but it was smaller. “That is a telltale sign, that it is low and slow,” he said, adding that if you look at APIs and see a botnet leverage login credentials, the symptoms are out there and “until you look at it you don’t know what is going on.”

Outlining a three-step mitigation strategy, Schimmelbusch recommended the following:

  • Short-term (next week): assess your critical transactional endpoints and identify potential security risks, especially those that use APIs
  • Medium-term (next three months): understand who is accessing your endpoints from where and how, and define appropriate security measures
  • Long-term (next six months): select security solutions that protect proactively, tailored to your organization’s needs, and drive an implementation project to protect your endpoints from credential abuse and fraud

Speaking in the opening keynote of the event on Tuesday, Akamai CEO Tom Leighton said attacks by malicious bots had increased by 134%, and organizations need to consider DDoS prevention. “You need to worry about site takeover, account and site scraping, and you need to worry about form jacking and protecting your users’ private information,” he said.

“Magecart attacks are rampant now, everyone is using third party scripts with code that links to third parties and then fourth parties, and all you need is one of those fourth parties to have malware on their site, and when users go to your site it is going to wind up on their browser and cause them to give up their private and personal information. That is a bad outcome for everyone.”