Securing Spend To Address API Attacks

Uploaded on 2025-06-09 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Awareness is growing around the threats posed to Application Programming Interfaces (APIs) which now constitute over 70% of the traffic on the internet and are fundamental to the real-time provision of digital services.

Everything from open banking to ride sharing apps to ecommerce now uses APIs to connect the end user to back office data to complete a request or transaction but as gatekeepers to that information they’re also a key target for attackers.

Consequently, analyst house Forrester has identified APIs as one of the top three areas for investment in 2025. So how can CISOs go about securing budget to dedicate to their protection?

Last year proved to a painful one for the CISO when it came to API attacks. In May, Dell saw a partner portal API abused, for example, with the attacker able to gain access within two days simply by logging multiple fake company names and registering his interest to become a partner. He was then approved enabling him to obtain personally identifiable information (PII) on 49 million customers across of range of Dell products from monitors to notebooks, desktops and laptops. 

Infamous API Incidents

Trello, a project management solution, too saw 15 million user emails compromised via an unsecured API and put up for sale. According to reports, the attacker fed 500 million email addresses to the API and those that matched with a Trello account then returned valid account information including the user’s full name, equipping them with enough information to create profiles that could then be used for identity fraud.

Another instance of an API enabling fraud on a massive scale can be seen in the breach of DocuSign’s Envelopes API. The API is usually used by developers to create, sign and manage document containers and hacking it allowed the attackers to create and issue fake invoices to unsuspecting victims who believed they came from bona fide companies such as Norton and Paypal. The invoices were all the more convincing because they appeared to come from a Docusign domain address.

This year we’ve also seen a number of API abuses. Google quickly remedied an issue that saw two APIs – YouTube and Pixel Recorder – combined to reveal email accounts associated with YouTube accounts while a sophisticated skimming campaign carried out against Legacy Stripe used a deprecated API to validate stolen payment cards, thereby making it a much quicker and easier process to determine which would work and could be used or sold on.

These are all attacks where it’s been disclosed that APIs were involved but the uniquity of APIs and their role in service provision means they are often associated with a plethora of attack types such as credential stuffing, account takeovers and fraud. They may not be mentioned, but they play a factor. As a result, it’s fair to assume the APIs mentioned above are just the tip of the iceberg. 

Underinvestment In API Security

Yet convincing the board that APIs require dedicated investment can be an uphill struggle, particularly if they labouring under the misapprehension that they’ve already got it covered. 

In many organisations, API rollouts have been protected using solutions that were not designed for the job such as Web Application Firewalls (WAFs). These are IP-based and use signature detection which means they struggle to detect attacks such as business logic abuse whereby the functionality of the API is used against it. Business logic abuse happens when the attacker is able to study and test out requests to the API until they find a way for it to process the request in a way that returns valuable information and, as it apes legitimate use, is extremely difficult to detect. 

API Gateways are able to provide some rudimentary security but are predominantly designed to centralise and manage APIs. They might work in tandem with the API when it comes to features such as rate limiting on the API which restrict the number of requests, for instance.

But attackers can easily overcome such measures by using proxies to mask IP addresses, distributing attacks across multiple sources, or using botnets to overwhelm the API.

Trying to use these solutions to secure APIs will therefore only ever provide scant protection because of the ways in which APIs succumb to attack. They are built to serve so will tend to betray information and this means the best way to protect them is to observe those requests and determine if they are malicious in nature. 

Consequently, behaviour based analysis is key to monitor and determine intent. If an attack is suspected, this can then be tracked using machine learning to analyse the API header and payload, creating a unique fingerprint of the attack. Should the attacker then pivot and change tactic, it remains possible to continue to monitor their activity regardless of how many IP addresses they cycle through. And defenders can take mitigating action such as by blocking or throttling traffic or by using deception to exhaust the attacker’s resources. 

An Unsustainable Approach

Being able to track and counter attacks in this way not only prevents the attacker from running circles around the API but also avoids the danger of frustrating legitimate users and damaging the user experience. That’s a crucial consideration for any business. 

But it’s also worth noting that we can expect the sophistication of attacks to increase due to Generative AI (GenAI), further upping the ante in the attacker’s favour. As cyber criminals begin to train datasets and leverage the technology, we will begin to see the number of attacks against these interfaces increase exponentially. This will lead to GenAI being used to carry out API reconnaissance such as by scraping sites and studying APIs before executing attacks in a way that even more closely mirrors legitimate use.

The attacks we’ve seen to date reveal that APIs are still failing to be adequately tested during development, configured correctly, and discovered, managed and deprecated during their lifetime. But there’s also real evidence that attackers are becoming inventive in the ways they utilise APIs, as demonstrated by the DocuSign attack and GenAI will make such attacks more commonplace.  

Taking a make do and amend approach to API security is not working, necessitating a dedicated solution. It’s therefore imperative that CISOs point out how attacks are evolving and the shortcomings of existing solutions to secure budget and pursue Forrester’s recommendations.

Mohammad Ismail isVP of EMEA at Cequence Security

Image: Ideogram

You Might Also Read: 

Five Reasons Your Organization Needs API Security Testing:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Failure Happens, But Recovery Can Be Managed Intelligently
The Email Security Threats Businesses Can’t Ignore »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Intrinsic-ID

Intrinsic-ID

Intrinsic-ID's authentication technology creates unique IDs and keys to authenticate chips, data, devices and systems.

Messageware

Messageware

Messageware is the market leader in securing, enhancing, and customizing Microsoft Exchange and Outlook Web App.

eScan AV

eScan AV

eScan develops Information Security solutions that provide protection against current and evolving cyber threats.

Paramount Computer Systems

Paramount Computer Systems

Paramount is a regional leader in the Middle East for cybersecurity solutions and consulting services.

BGD E-GOV CIRT

BGD E-GOV CIRT

BGD e-GOV CIRT's mission is to support government efforts to develop ICT programs by establishing incident management capabilities within Bangladesh.

Materna Radar Cyber Security

Materna Radar Cyber Security

Radar Cyber Security is the only European supplier of Managed Detection & Response who provides its services based on inhouse developed technology.

Khipu Networks

Khipu Networks

Khipu Networks is an award winning Cyber Security Company delivering a wide range of network, wireless and security solutions, technologies and services across multiple sectors.

Berkeley Varitronic Systems (BVS)

Berkeley Varitronic Systems (BVS)

Berkeley Varitronics Systems is an engineering think tank delivering custom wireless RF engineering products and solutions including cyber security.

Talion

Talion

Talion aim to reduce the complexity involved in securing your organisation and to give security teams unrivalled visibility into their security operations, so they can make optimal decisions, fast.

Bfore.ai

Bfore.ai

Stop future attacks, today. Bfore.ai is an operational threat intelligence feed to add predictive technology to your security infrastructure.

OneLayer

OneLayer

OneLayer provide enterprise grade security dedicated for private LTE/5G networks. We ensure that the best IoT security toolkit is implemented in your cellular environment.

iManage

iManage

iManage's intelligent, cloud-enabled, secure knowledge work platform enables organizations to uncover and activate the knowledge that exists inside their business.

Troye Computer Systems

Troye Computer Systems

Troye provide a complete range of digital workspace solutions that empower people to do their very best work in a safe and secure manner anywhere, anytime, using any device.

True Corporation

True Corporation

True Corporation is Thailand’s leading Telecom-Tech company, empowering people and businesses with connected solutions that advance society sustainably.

REAL Security

REAL Security

REAL Security is a market leader across the Adriatic region in value-added distribution in the field of IT Security & virtualisation.

Octopus Cybersecurity

Octopus Cybersecurity

Octopus VAR is a Validation, Analysis and Reporting tool that gives risk managers and CISOs a powerful control mechanism and a deep view of operational risks.