Latin America. Authentication APIs are a mature target for credential abuse attackers. As part of an ongoing effort to protect its customers from cyberattacks, Akamai monitors and analyzes malicious login requests across its security customer base.
Akamai Technologies releases the result of analysis by Ryan Barnett and Elad Shuster, Akamai's Principal Security Researchers on credential abuse attack campaigns.
Akamai's threat research team conducted a Web login analysis to gain insight into how widespread adoption of Application Programming Interface (API)-based logins is and whether this trend also affects attackers and attack campaigns. It won't surprise that API-based logins are highly targeted by credential abuses for a variety of reasons.
Key points:
30% of all API authentication attempts are fraudulent.
Credential abuse campaigns launched on API authentication endpoints process four times more user credentials than regular forms-based authentication applications
Credential abuse campaigns launched on API authentication endpoints can employ 4.75% more botnet clients.
Credential Abuse Fund
Logins are one of the most prominent places where applications have migrated from standard Web requests to API calls. Almost all web and mobile applications maintain user status by prompting users to sign in to the application. Historically, login requests were standard HTTP POST requests, sent when a user clicks the "Login" button on a form within an HTML page. Increasing uses of AJAX, JavaScript frameworks (e.g., jQuery and Angular), and mobile app frameworks have shifted login requests toward API calls.
As part of an ongoing effort to protect its customers from cyberattacks, Akamai has been monitoring and analyzing malicious login requests across its Kona security customer base. Such attacks are known as Credential Abuse (also known as "Credential Stuffing").
Daily login
Log In Method Statistics application. During this research, they analyzed one-day data from the Cloud Security Intelligence (CSI) platform. The data included a total of 413,392,955 daily login requests originating from 27,882,776 IP addresses, and pointing to 48,702 Internet hosts. The research showed that at least 42% of the monitored applications strictly used Web APIs and calls to perform logins. These applications used JSON, XML, SOAP, and other API-related message formats to transmit user credentials to Web applications. Only 55% of applications strictly used standard forms-based authentication, while only 3% used both approaches.
According to the research, 78% of all API-based login requests were made by mobile clients. These include native mobile apps, HTML rendering components within mobile apps, and mobile browsers. The other 22% were split between standard desktop browsers, as part of AJAX API calls, and IoT devices, which were mostly gaming consoles.
Credential abuse campaign statistics
Of the total logins that were analyzed, a whopping 30% were identified as fraudulent logins, sent as part of massive Credential Abuse campaigns. This information is simply mind-boggling: nearly one in three login attempts was identified as fraudulent.
When it comes to massive credential abuse attack campaigns (millions of unique attack sources a day), our data reveals that 88% of attackers attacked API calls at some point in their campaign. By contrast, only 22% of attackers only abuse standard Web forms authentication. Naturally, some attackers target both, depending on the application they are attacking right now.
One of the most obvious differences between API-based Credential Abuse campaigns and those targeting Web forms was the average number of tested account attempts per application in each campaign; standard Web forms received 1,000,000 abuse attempts each, while API application logins saw four times as many, nearly 4,000,000 attempts per application!
Some vendors in this space (including Akamai) provide solutions that are capable of differentiating between humans and bots in mobile applications. Such detections require mobile app developers to include in their mobile app code a special SDK provided by the vendor, which collects and analyzes mobile-based metrics and telemetry. This includes measurements such as global positioning data, touchscreen gestures, screen resolution and orientation, and connectivity type, to name a few.
A key factor in API-based attacks is the ability to easily distribute the attack workload among thousands of bot nodes. Since API-based logins had to be consumed programmatically, for an adversary it is extremely simple to build a distributed botnet, which will divide the work among thousands of nodes. This approach is critical in Credential Abuse campaigns: any application blocks a user after three failed attempts, forcing campaigns to perform "low and slow" attacks, where each node sends approximately 3-5 login requests within 24 hours.
This theory is strongly supported by Akamai's research. On average, an API-based attack campaign will involve 19,000 unique IP addresses, while campaigns that target standard Web forms login only included 4,000 IP addresses. That's 4.75 times more bot nodes per campaign in API-based logins.
Conclusion
Authentication APIs are a mature target for credential abuse attackers. Organizations looking to defend against such attacks across their API portfolio should ensure that, whatever solution they choose, it handles the following areas correctly:
- Ability to analyze and understand Web and mobile API call messages, and apply appropriate protections and detection techniques on them, in the most detailed manner possible. This includes XML-based messages, JSON messages, and RESTful services.
- Ability to differentiate between automatic and malicious attacks, such as those carried out by bots, in an API environment, which is not necessarily consumed by Web browsers (e.g. native mobile applications, game consoles and other IoT devices).
- Provide proper logging and visibility of security events in API.La visibility should be granular and provide insight into specific API endpoints and methods.
- Provide a simple and clean API security management solution that allows the organization to assign different security policies to different API endpoints, apply granular application layer protections, as well as speed and visibility limitations of all APIs exposed to external users.
- Provide insight into customer reputation and intelligence, including visibility into malicious actors conducting specific credential abuse campaigns through API calls, such as those used by mobile, Web, and IoT applications. Such power can serve as a safety net or a final line of defense in situations where prior protections provide partial coverage.
