API attacks put businesses at risk
Attacks targeting the business logic of APIs made up 27 percent of attacks in 2023, a growth of 10 percent since the previous year. Account takeover (ATO) attacks targeting APIs also increased from 35 percent in 2022 to 46 percent in 2023.
This is among the findings of a new report from Imperva which shows API traffic constituted over 71 percent of web traffic last year. While there are benefits of APIs in allowing seamless connectivity, enhancing online experiences, and driving innovation, their widespread adoption leads to new security challenges.
The average number of API calls to enterprise sites is 1.5 billion. But these high volumes of non-human, automated traffic are linked to a rise in automated attacks on APIs such as DDoS attacks and account takeovers (ATOs). 46 percent of all ATO attacks targeted API endpoints. Attackers are becoming more savvy in their strategies too, with 28 percent of all DDoS attacks on APIs targeting financial services organizations, the most targeted industry for this type of attack.
Grainne McKeever writes on the Imperva blog: "Automated attacks constitute a significant threat to APIs due to their fundamental makeup which is, by design, oriented towards automation and agnostic to human intervention. Attackers are increasingly leveraging automated attacks, or bad bots, to target API business logic or the core functionality of the API. By mimicking regular automated API traffic, attacks go undetected, enabling threat actors to carry out their malicious activities uninterrupted."
Traditional security tools, like web application firewalls, struggle to detect and combat this form of abuse as API attacks are good at mimicking regular traffic.
You can get the full report on the Imperva site.
Photo Credit: Panchenko Vladimir/Shutterstock