How APIs can help hackers launch cybercrime campaigns

9
cybercrime campaigns

CIOs say that cybercriminals have increased the focus on utilization of APIs’ security liabilities to steal data and carry out fraudulent activities

Security leaders point out that APIs make different tasks like system connectivity to data sharing, functionality to critical feature delivery, etc., more manageable. However, they also make it easier for hackers to deploy bots and launch attacks.

Easy discovery

APIs are easy for hackers to identify, and through them, they approach by using the targeted tech or application, usually by conventional methods. They ensure that the browser is opened to reach web applications and the installation of downloaded mobile apps. They tend to use an intercepting proxy to monitor communications.

CIOs believe that intercept proxy filters all requests from user browsers or mobile apps to the backend servers. It allows hackers to list out all the API endpoints with potential liabilities. Most APIs tend to have /API/V1/login as a part of the authentication endpoint.

Hackers tend to analyze the application package and look at all API calls present in the application. They identify standard misconfigured endpoints or APIs which leave the user vulnerable. Most organizations tend to make their API documents available for the public despite using the same API endpoints for all end-users.

Read More: RDP remains a key choice for ransomware hackers

Security leaders believe that the most efficient way to prevent the discovery of enterprise API is by ensuring that access to API documentation is restricted with clauses that provide only authentic users access. They propose that web server requests by APIs should be as controlled or as complex as possible.

Simplified error messages

CISOs point out that in the current scenario, error messages tend to be too explanatory. This ends up being a guiding point for cybercriminals to change the measures to make their request work.

High-speed transactions for low load have APIs which allow hackers to detect valid accounts by deploying high-performance transactions. Once they lock on to the account, they attempt to gain access by logging in and changing passwords as per requirement.

IT Security leaders propose using less verbose error messages to mitigate such attacks. They push for better training of employees and end-users to create strong usernames and passwords.

A high number of parameters in complex systems

Criminals tend to repeat API connections to attack networks to identify what data has to be input to get the required data. CIOs acknowledge that hackers are aware of the vulnerabilities in more complex systems.

Read More: Cyber Security – Top Challenges C-Suite Should Gear Up For

Once a compromised API is detected, malicious actors tend to list the parameters and then try to gain access to the admin credentials (vertical privilege escalation) or an employee’s (horizontal privilege escalation) to collate more data. An unnecessary amount of parameters are exposed to the end-users.

C-suite leaders suggest that users be exposed to a limited amount of data. It prevents exposure of data query structure and prevents the uncontrolled spread of the vital data. Deploying such measures prevents hackers from forcing requests on parameters.