Bot Attacks on APIs Pilling Up: How Companies Can Prepare?

Organisations have been keeping their eyes on botnet attacks on APIs while the pandemic heralds an increasing usage of APIs for quicker information and data exchange and triggering a wave of bot attacks and online fraud.

Recently Gartner predicts that API attacks will become the most-frequent attack vector by 2022, yet the use of bot mitigation services is still left behind.

1. Benefits of Using APIs: How Can They Help Your Business?

An API (Application programming interface) is software that allows web or mobile applications to connect with each other. To put it simply, API simplifies and eases the way for product and service integration.

API helps connect several services with one another in order to automate data and information exchange among them. Therefore, it saves companies time and resources from developing new programs from scratch and also streamlines their business workflow.

Take the E-commerce industry as an example.

Online retail has been enjoying growing popularity worldwide since the pandemic began. The increasing users and orders keep challenging small and medium retailers’ inventory and shipping systems. By quickly and easily integrating their own platform with several professional shipping providers via API, retailers can automate, coordinate, manage, and streamline their shipping operations on one platform.

APIs are often used to run cloud services, integrate third-party partnerships, enable mobile applications, etc.

2. Poorly Protected APIs: Why Isn’t It Secure Enough?

The problem is that there is no such standard way to develop APIs that could guarantee universal application security, since every enterprise has its own demand for security. Software development teams in different companies that have customised approaches to building APIs, which may be enough for certain companies, but far from enough for businesses who have a high standard for application security, like fintech, E-commerce, gaming, etc.

Status quo of API security

Information security organisations have been studying API security. Here are the key findings.

  • API calls currently account for 83% of all Internet traffic according to Akamai.
  • Around 40% of organisations reported that more than one-half of their applications are exposed to the internet or third-party services via APIs.
  • Nearly 66% of enterprises don’t have a proper security measure for their APIs.
  • Attacks targeting APIs are increasing at an alarming rate – up 348% in six months by the third quarter of 2021, reported by Salt Labs.

The widely used yet poorly protected APIs are attracting attackers to exploit weaknesses in these commonly-seen connection points, such as login, online ordering, comment, and vote etc.

One of the most popular methods that attackers use to attack APIs is automated bot attacks.

3. Sophisticated Bot Attacks on APIs: Are They Really Unstoppable?

Bot attacks aiming APIs are hard to detect.

Bad bots are changing rapidly and are becoming more sophisticated today. Sophisticated bots disguise themselves as humans to bypass detection. They can forge human interactions to move a mouse or type like a human user. But they are not unstoppable. Bot attacks are just what we see. It is people behind bots that matter.

GeeTest, a bot management vendor who is lately mentioned by Gartner and Forrester in their blogs and reports, has studied the group of people behind various bot attacks for over 9 years. They recently released a study to reveal commonly shared abilities of attackers and countermeasures against them.

GeeTest found that there are three advantages of those bad actors who use bots to attack.

  1. Attackers use automated tools to make bots attack nonstop.
  2. Attackers own countless credential information to support bot attacks that involve identity verification, like ATO.
  3. Attackers gain access to hundreds and thousands of mobile devices via one group/cloud control platform to help bots bypass device detection.

Knowing that, GeeTest put forward its countermeasures in terms of reducing the efficiency of bot attacks and increasing the attacker’s cost.

1. Reducing the efficiency of bot attacks

A crucial advantage of attackers is that they enjoy great efficiency. They act automatically with the help of bots and they have countless identity information and devices to back up bot attacks. GeeTests focused on generating solutions decreasing the efficacy of bot attacks.

2. Increasing attacker’s cost

Once efficiency is reduced, attackers are bound to invest more in renewing automated tools, identity information and devices. When the gap between cost and profit is lower than they expected, profit-happy cybercriminals will stop and turn around to another way.

The confrontation between attacker and defender is not just about winning, but a sustainable game in which one keeps trying to outsmart the other.

4. Solution for Bot Attacks on APIs

Based on their study, GeeTest launched a new bot management tool, aiming at reducing the efficiency of bot attacks. It is called GeeTest CAPTCHA v4 – Adaptive CAPTCHA.

Unlike legacy CAPTCHAs that detect bot activities simply based on image/text recognition (which can no longer stop sophisticated bot), GeeTest CAPTCHA v4 deals with AI-powered bots with AI and ML models. It provides an intelligent, accurate and user-friendly replacement for legacy CAPTCHA systems.

One fundamental feature of GeeTest CAPTCHA v4 that makes it distinct from other CAPTCHA systems is modularization.

The majority of CAPTCHAs work like this (shown below). The whole process of most CAPTCHAs is inseparable, while GeeTest CAPTCHA v4 makes every step an independent module and allows clients to decide how to use the modules to best fit their business and current risk control systems.

In this way, companies can freely use different modules to address specific risk control needs in different scenarios and at different stages.

Here are examples of how enterprises use the GeeTest modular CAPTCHA system.

  • For companies who focus on a smooth user experience and do not want CAPTCHA to pop up and disturb users: they can use the Risk detection module to detect suspicious behaviour without popping up any CAPTCHA challenges and return the risk data to enterprises for their further analysis and actions.
  • For enterprises that have their own risk control system and have the ability to analyse suspicious behaviour: they can use the CAPTCHA challenge module to collect the user’s response and make decisions through their own risk control system.
  • For enterprises that rely completely on GeeTest CAPTCHA protection: they can use the Risk analysis module to assist their business process.

Register to try GeeTest CAPTCHA v4 free version here.

Final Thoughts

Protecting APIs from bot attacks requires agile tools and dynamically evolving solutions that can spot and stop bot attacks before they happen.

To choose a security tool or solution, enterprises should take these into consideration:

  • Security capability
  • Convenience
  • Service stability
  • User experience

One way we recommend is to adopt a tool or system like GeeTest Adaptive CAPTCHA that can handle real-time bot detection and mitigation without interrupting users’ experience.