83 percent of credential stuffing campaigns target APIs

No Comments

According to new research from Radware 83 percent of credential stuffing campaigns include explicit API-targeting techniques.

The report shows a shift in credential stuffing attacks, underscoring a fundamental transformation from volume-based attacks leveraging a series of repeated password attempts to more sophisticated, multi-stage infiltration techniques.

“To bypass traditional defenses, modern credential stuffing attacks are shifting away from traditional password-spraying techniques in favor of business logic manipulation, cross-platform device spoofing, and strategic API exploitation,” says Arik Atar, senior cyber threat intelligence researcher at Radware. “The message for defending organizations is clear. To match this new reality, they must move beyond credential-centric controls to adopt security strategies that validate entire user journeys, correlate cross-request behavior, and detect suspicious patterns in business logic flows.”

Other advanced attack techniques highlighted by the report include business logic attacks, with 94 percent of configurations implementing four or more business logic attack elements, and 54 percent demonstrating advanced orchestration, using 13 or more distinct techniques.

Multi-device spoofing is increasingly common too with 24 percent of attack scripts alternating between two device types during execution, and 71 percent employing cross-platform transitions, primarily between iOS and Windows.

The technology/SaaS sector has emerged as the primary target (27 percent), followed by financial services/government (16 percent), and the travel/airline (13 percent) sectors. There is a significant shift toward high-value AI tools (44 percent of all technology targets), potentially exploited by spammers who engage in account cracking to create large-scale phishing content. In addition, corporate tools (30 percent), including Microsoft 365, OneDrive, and Outlook, are likely targets for ransomware groups seeking initial access to organizational systems.

You can find out more in the full report, available from the Radware site.

Image credit: [email protected]/depositphotos.com

No Comments
Got News? Contact Us

Recent Headlines

Exaforce brings AI to the security operations center

Human risk and Gen AI-driven data loss top CISO concerns

Google to block sideloading of apps from unverified developers

xAI is suing Apple and OpenAI for anticompetitive behavior

YouTube has been using AI on the sly to enhance creators’ videos

Rise of the robots: RealSense and Nvidia team up on physical AI

Fi Mini brings GPS pet tracking to cats and small dogs

Most Commented Stories

Extended Windows 10 support means ditching your local account for a Microsoft Account

20 Comments

Forget Windows 11, Windows 12.2 is the 'next evolution' of Microsoft's OS

15 Comments

UpDownTool lets you move from Windows 11 to Windows 10 in just 5 clicks -- without losing any data

7 Comments

Google makes cheaper YouTube Premium Lite available more widely

7 Comments

Why using a VPN is becoming more important than ever

6 Comments

Opera files antitrust complaint against Microsoft in Brazil, alleging unfair browser restrictions on Windows

5 Comments

Microsoft Recall is bad at filtering sensitive information

5 Comments

High Court rejects Wikipedia challenge to UK online safety rules

4 Comments

© 1998-2025 BetaNews, Inc. All Rights Reserved. About Us - Privacy Policy - Cookie Policy - Sitemap.