Recently, companies are beginning to shift to the use of the cloud and expose functionality via Application Programming Interfaces (APIs). Cybercriminals have been taking this new exposed entry to their advantage as new technologies often lack the proper security.
With APIs becoming more commonly used in companies, cybercriminals have been using Botnets to carry out malicious attacks on them. CSO Mag describes a botnet as a collection of internet-connected devices that an attacker has compromised, they act as a force multiplier for individual attackers, cyber-criminal groups and nation-states looking to disrupt or break into their targets’ systems. Common in Distributed Denial of Service (DDoS) Attacks and can be used to easily send spam to the masses, steal credentials with ease, or by spying on people and organizations.
API bot attacks are, in particular, becoming a major issue for E-Commerce businesses. Since they are used to carry out the stealing of credentials and private information, this puts a big target on the backs of e-commerce businesses. Specifically, they are being hit by tactics such as price scraping, sneaker bots, grinch bots, and gift card stuffing. These tactics can be used to share pricing information with competitors, automate purchases, and find specific products online and purchase them. Research done by Imperva revealed that over 30% of traffic to e-commerce sites are bots, 18% of traffic to e-commerce sites comes from bad bots, with 24% of those bad bots being classified as sophisticated. With these attacks on the rise, it is ever important for companies, especially those in e-commerce to invest in bot and API security.
As of late, the situation is only getting worse. The Council to Secure the Digital Economy (CSDE) shared a report stating that a single botnet can include more than 30 million “zombie” endpoints and allow these cybercriminals to profit roughly six figures per month. This has a serious impact as these DDoS attacks threaten health and research facilities as well as government services around the world, with these attackers using the circumstances of the pandemic for their personal gain. Botnets have been used on social media platforms to spread disinformation about the pandemic to threaten the global dialogue surrounding it and using the demand for information to incorporate phishing scams. They have been also used to specifically target vendors of face masks and hand sanitizer as the pandemic caused an influx of customers making them a big target for botnet attacks.
A report by Radware states that APIs are the next big threat as they are used to process a variety of sensitive information such as payment information, user credentials, social security information, etc. making API security the most critical area for companies to invest in 2021. They also mention that 55% of organizations receive a DDoS attack on their APIs monthly yet only 24% of organizations have a dedicated solution for bot management. For API Security, F5 Labs recommends a few best practices to protect your APIs against hacking.
- Do not store information in APIs that are not meant to be shared
- Don’t expose more data than necessary
- Encrypt traffic using TLS
- Inventory and manage your APIs
- Use a strong authentication and authorization solution
To protect yourself against botnet attacks in general, Panda Security recommends some tips on how to avoid them.
- Keep your operating system up-to-date
- Don’t open files from unknown or suspicious sources
- Scan all downloads before running the downloaded files, or find different ways of transferring files
- Don’t click suspicious links
- Install an antivirus program
