Hackers are exploiting the popularity of APIs to break into accounts and steal data
Application Programming Interfaces (API) are one of the pillars of today’s lightning-fast, interconnected web apps, cloud-based solutions and internet sites.
Their popularity also means that they are often sent away without proper safeguards and contingencies, making them a huge risk factor for the cybersecurity of various organizations.
Hackers have paid attention and are increasingly targeting APIs in their malicious campaigns.
Malicious bots everywhere
These are the conclusions of “The State of API Security in 2024”, a new report published by cybersecurity researchers at Imperva.
According to the report, almost three-quarters (71%) of all internet traffic today is done by APIs. Additionally, the average company had 1.5 billion API calls last year.
Organizations are realizing the benefits that APIs can bring to a business and are rushing to deliver as many digital services as possible as quickly as possible. An organization today has an average of 613 API endpoints in production, the researchers said.
This also makes them a risk. The good news is that companies are aware of this and many are adopting shift-left frameworks and SDLC processes to protect their products. However, in many cases, APIs are put into production without proper audits, quickly becoming a security risk.
Hackers, on the other hand, have taken notice and are increasingly abusing APIs in their attempts to steal sensitive data from organizations. Among industries, financial services and online retail organizations have had the most API calls, and thus the most API-related attacks, in the past year.
Typically, hackers would exploit API endpoints in Account Takeover (ATO) attacks, the researchers said. Last year, nearly half of all ATO attacks (45%) targeted vulnerable API endpoints. To make matters worse, these attacks are rarely performed manually. Instead, countless malicious bots perform automated tasks, logging into vulnerable accounts, obtaining sensitive data, and more.
Through The hacker news