APIs are becoming a major target for credential stuffing attacks
- 19 February, 2020 22:24
New data from security and content delivery company Akamai shows that one in every five attempts to gain unauthorised access to user accounts is now done through application programming interfaces (APIs) instead of user-facing login pages.
This trend is even more pronounced in the financial services industry where the use of APIs is widespread and in part fuelled by regulatory requirements.
According to a report released today, between December 2017 and November 2019, Akamai observed 85.4 billion credential abuse attacks against companies worldwide that use its services. Of those attacks, around 16.5 billion, or nearly 20 per cent, targeted hostnames that were clearly identified as API endpoints.
However, in the financial industry, the percentage of attacks that targeted APIs rose sharply between May and September 2019, at times reaching 75 per cent.
"API usage and widespread adoption have enabled criminals to automate their attacks," the company said in its report. "This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments."
The credential stuffing problem
Credential stuffing, a type of brute-force attack where criminals use lists of leaked username and password combinations to gain access to accounts, has become a major problem in recent years.
This is a consequence of the large number of data breaches over the past decade that have resulted in billions of stolen credentials being released publicly on the internet or sold on underground markets as commodities.
Knowing that users reuse passwords across various websites, attackers have used the credentials exposed in data breaches to build so-called combo lists. These lists of username and password combinations are then loaded into botnets or automated tools and are used to flood websites with login requests in an attempt to gain access.
However, once access is gained, extracting information from the affected services by crawling the customer pages requires some effort and customisation, whereas requesting and extracting information through APIs is standardised and well suited for automation.
After all, the very purpose of an API is to facilitate applications talking to each other and exchanging data automatically.
"When it comes to credential stuffing, the APIs we’re examining use REST [representational state transfer] and SOAP [Simple Object Access Protocol] to access resources," the Akamai researchers said.
"This includes account summary pages with personal information, account records, and balances, as well as other tools or services within the platform. While they’re not directly comparable, both REST and SOAP are essentially methods of communication between applications. REST can be implemented in different ways, depending on the project. SOAP is a standard for data exchange."
The financial industry under attack
While APIs have always been around, inside operating systems and other places, web API usage has seen a huge growth over the past decade. This has been in part fuelled by the mobile ecosystem because mobile apps talk to back-end services through APIs.
It’s also driven by the adoption of cloud infrastructure and the shift towards a service-oriented architecture where traditional self-sufficient monolithic apps are being replaced by containerised microservices that handle individual functionalities and talk to each other through APIs.
The innovation in the financial technology -- fintech -- space has also put pressure on financial institutions to make their customer data and services available through APIs. In fact, the revised Payments Services Directive (PSD2) that went into effect in the European Union (EU) in September was designed to push the concept and principles of open banking.
PSD2 requires banks and other financial institutions that hold customer accounts to make it possible for third-party services to check the availability of funds, initiate payments or access account data if the account owners give their consent.
The most common way of complying with that request is through the development of web APIs and most banks started implementing such APIs well in advance of PSD2's deadline.
Even if no similar regulatory requirements exist in non-EU countries, market forces are pushing financial institutions in the same direction since they need to innovate and keep up with the competition.
Security experts have long expressed concerns that implementation errors in banking APIs and the lack of a common development standard could increase the risk of data breaches.
On top of widespread API adoption, the data available to financial industry services has always been of high interest to cybercriminals who can monetise it in various ways. Financial data is more valuable than information that could be extracted from other types of services, so it makes financial industry APIs a more attractive target.
"Criminals are still buying, selling and trading bank cards, financial credentials, compromised gift card balances, and online banking accounts at a rapid clip, because demand for such things remains high," the Akamai researchers said.
"Some compromised assets are being exchanged for cash, while others are being exchanged for more product in a direct swap between criminals, such as someone who trades valid banking accounts with balances for credit card accounts in Europe."
In addition to credential stuffing and API abuse, criminals also try other types of attacks to get access to financial data. Over the analysed 24-month period, Akamai observed 473 million credential stuffing attacks against the financial sector, but also 662 million other web application attacks.
The top type of web application attack against the financial services sector was local file inclusion (LFI), with 47 per cent, followed by SQL injection (SQLi) with 36 per cent, and cross-site scripting (XSS) with 7.7 per cent. Other observed attack types included PHP injection, command injection, remote file inclusion, OGNL Injection and malicious file uploads.
LFI attacks target script files written in various web programming languages, primarily PHP, but also ASP, JSP and others, and they often result in the disclosure of sensitive information.
Lack of API protections
The Akamai researchers identified several problems with API development that makes it easier for attackers to abuse them. For example, some APIs don't have rate limiting for authentication attempts, which allows hackers to perform tens of thousands of password guesses every minute.
Throttling authentication requests is good practice, but this alone is not a complete defence against credential stuffing attacks, because attackers can configure their scripts to perform requests at a lower rate and avoid getting blocked.
Another issue is with the error responses given by APIs for failed login attempts. This can often leak information about whether a username exists on the service or not and criminals take advantage of this to validate, tweak and sort their credential lists making their future attacks harder to detect because the triggered error rates will be lower.
"It isn’t just financial services; everyone is being targeted by criminals who use and abuse stolen credentials to fuel their criminal enterprises," the Akamai researchers said. "One of the tools to fight this continued assault is zero trust.
"As adoption of this framework spreads, it will become more difficult for criminals to use passive attacks, like credential stuffing, to gain a foothold on a given network. It will be harder for them to leverage phishing or custom command and control servers, since DNS can be blocked at the source."