SHARED INTEL: How attacks on web, mobile apps are being fueled by rising API vulnerabilities

By Byron V. Acohido

Application programming interface. API. It’s the glue holding digital transformation together.

Related: A primer on ‘credential stuffing’

APIs are the conduits for moving data to-and-fro in our digitally transformed world. APIs are literally everywhere in the digital landscape, and more are being created every minute. APIs connect the coding that enables the creation and implementation of new applications.

However, APIs also manifest as a wide open, steadily expanding attack vector. Many organizations caught up in the frenzy of digital transformation don’t fully appreciate the gaping exposures APIs have come to represent.

I had the chance to discuss this with Matt Keil, director of product marketing at Cequence Security, a Sunnyvale, Calif.-based application security vendor that’s in the thick of helping businesses mitigate web application exposures. We spoke at RSA 2020. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways:

Romance scams

Like many modern companies, Zoosk, the popular San Francisco-based dating site, rests on infrastructure that’s predominantly cloud-based. Zoosk’s core service is delivered via a mobile app that has 20 different registration and/or login pages – all are API driven.

Thus, it was well worth it for a hacking group to study Zoosk’s IT stack to reconnoiter its weak points.  Here’s how Keil breaks down what happened:

Keil

“The attackers deconstructed the mobile app and found all of these login and mobile app registration APIs, and so they started using them for attack purposes . . . they then began to use the stolen credentials to launch automated account takeovers.

“So if you were participating in that environment, and you were looking for a relationship, then your account might get taken over. And the next step we saw was romance scams.

“The unfortunate fact of the matter was that we did see customers falling prey to romance scams. On average, the average loss per incidence was up to $12,000. We were able to stop the account takeovers that would then sometimes lead to these romance scams.”

APIs and botnets

The Zoosk attack highlights how hacking groups are leveraging botnets to automate – and scale up —  key parts of multi-tiered criminal activities. A bot is a computing nodule with a small bit of coding that causes it to obey instructions from a command and control server, and a botnet is a network of thousands of bots perfectly suited to performing repetitive tasks in unison.

Botnets can mindlessly identify, categorize, test and, ultimately, find API vulnerabilities in targeted commercial websites. They can take the next step and execute a hack, which can include harvesting account credentials. Botnets can also confirm the validity of stolen logons, as well, through credential stuffing campaigns. All of this activity is automated.

The botnet’s controller just sits back and waits for a list of valid logons. As the final step, the human grifter goes to work, using the stolen logon to impersonate a real-life subscriber in online communiques. It becomes a simple matter to carry out a tried-and-true confidence script.

API-fueled romance scams are just the tip of the iceberg. So-called “business logic” hacks take full advantage of botnet processing capabilities combined with API flaws. These include reputation bombs, content scrapings, inventory denial and various types of online extortion campaigns.

“The use of APIs for these types of attacks is increasing along with the dramatic increase in API usage in general,” Keil says.

The first line of defense is for organizations is to gain visibility of their APIs, Keil says. “Knowledge is power,” he says. “Knowing what you have, how your APIs are being used and who has access to them is crucial. Then the next step is to apply access control mechanisms and threat inspection mechanisms to your APIs to protect them.”

Holistic mitigation

Cequence brings a holistic approach to mitigating this new class of web application exposures. Cequence’s Application Security Platform is designed to monitor network traffic and analyze application behaviors at both the client and server layers of the IT stack. To counter the automation of criminal botnets, Cequence ingests this network traffic data into a powerful analytics engine to determine if a malicious bot attack is taking place, Keil says. Here’s how he breaks it down:

“We take a machine learning-based approach to look at the APIs, as well as the web transactions, to understand the intent of the transactions, and to separate the legitimate from the malicious. Zoosk doesn’t want to block their customers from trying to find a mate; neither does a financial services firm or a retailer want to unnecessarily block a transaction and create customer dissatisfaction.

“So once we figure out that a transaction is malicious, we can then allow it to be blocked, or we can rate limit it, or we can put guardrails around where we think the attackers might be trying to go.”

The traction Cequence has gained since its official launch in late 2018 is yet another piece of evidence that technology is not the problem — we have plenty of efficacious security technology, with terrific innovations coming to market in a steady flow. In addition to acquiring better technical solutions, organizations must make major advances in the people and processes part of the equation, as well. A security mindset still needs to take hold at many more levels. Only then will leading-edge technologies make their fullest impact. I’ll keep watch.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone