July 6, 2020 APIs – A Blessing and a Curse for Retailers

APIs have helped businesses shift their service delivery models in the global pandemic. Here’s how cyber thieves have moved to capitalize on these shifts.

By Matt Keil, Cequence Security

For many companies’ consumer-oriented applications, APIs have become the connective tissue that allows development teams to rapidly deploy and update applications and services. More often than not, the web-based registration form, the mobile application login, the shopping cart or gift card balance check are all feeding a series of APIs calling to back end application and services. However, APIs are a double-edged sword as they accelerate development while also simplifying how bad actors can steal data and commit fraud.

Image 1: API transactions protected daily.

Cequence has been protecting APIs from automated attacks for nearly 5 years now and a recent analysis of customers that subscribe to our threat monitoring services shows that on a given day, the Cequence Platform is protecting nearly half a billion API-based transactions.

Attack Goals Vary Across Industries

The most common automated attacks are account takeovers, fake account creation and content scraping, however the outcomes may vary across industries. In social media, the outcome is to manipulate reputations and to spread disinformation. In dating and relationship applications, the malicious outcome is romance fraud that leads to monetary losses while in the financial services world, theft of your funds is the ultimate goal. Across every vertical, the attacks are incessant. Automated bot attacks are unlike a known vulnerability or virus that can be blocked with an IPS or AV offering. Whereas a bad actor who doesn’t find a specific application vulnerability may move on to a new target, those who are executing automated attacks are persistent, continually changing tools and tactics to achieve their end-goal of committing loyalty points fraud. These characteristics are exemplified in a summary of attack activity targeting a large retail customer.

Eye on the Prize: Retail Loyalty Points Theft

The first of a series of campaigns began with a massive, sustained, multi-application attack of more than 23 million requests. For perspective, these attacks were 3X the total amount of traffic – both good and bad – observed in an entire normal week. The attacks observed and repelled can be broken down into 5 distinct campaigns summarized below:

• Campaign #1: A relatively small attack, sending roughly 1.5M requests distributed across 3,800 unique IP addresses owned by a known Bulletproof Proxy Service. Lasting more than 5 hours, the target of this attack was a legacy, deprecated mobile login API endpoint and all requests were successfully blocked. This campaign is a good example of garden-variety ATO behavior that exhibits obvious characteristics that make it easy to block. However, in the context of the rest of the campaigns, this effort appeared to be a diversion, drawing attention away from other endpoints open (and targeted) for abuse.
• Campaigns #2 and #3: These two distinct attack campaigns targeted the current, active mobile login API endpoint. Campaign #2 lasted only two hours and emulated the Android mobile application. This attack campaign appeared to be a recon attempt, peaking at about 40k requests per 5-minute period and was more widely distributed with each transaction distributed across at least one unique IP address sourced from organizations in Taiwan, China and Vietnam, specifically HiNet, TE Data, and Vietnam Posts & Telecommunications (VNPT). In many cases, for some US-based companies, appropriate geo-fencing can help provide zero-day mitigation to these recon attempts. Campaign #3 was a multi-phased effort that also spoofed the Android application. The first phase was a series of reconnaissance probes that were then followed three days later by the attack itself. Peaking at roughly 73k requests per minute, the attack lasted a mere two hours and was unique in that the source of the traffic originated primarily from cloud provider organizations such as Digital Ocean and resources within AWS. This retooling was likely in response to a lack of success with foreign residential proxy IPs, and the bad actors attempted to evade geo-fencing by using cloud providers in the United States. One of the common threads between campaign 2 & 3 is the focus on targeting the mobile login endpoint spoofing the Android application, which has become an easy task due to the availability of Android emulators that simplify reverse-engineering efforts.
• Campaign #4: This effort featured the reappearance of an attack tool that had not been seen at scale in many weeks – SNIPR. The attack targeted a deprecated version of the mobile login API, that is has been unsupported for more than 3 years. This campaign was widely distributed across organizations in the US., Russia, Indonesia and India. What was notable about this campaign was the persistence of the tool to send bursts of attack traffic throughout the weekend. This is likely due to the ease-of-use of the tool SNIPR and how easy it is for many disparate bad actors to get their hands on a copy and launch an attack campaign.
• Campaign #5: This effort was the largest campaign of the weekend, hammering the current, active web login service with more than 20 million requests distributed across roughly 33,400 IPs, with approximately 55k requests per IP. The vast majority of the requests came from Performance Systems International (PSI) organization, known to be part of a US-based Bulletproof Proxy service that is comprised of hijacked IP space from defunct companies (PSI was a large ISP in the first dot-com boom later acquired by Cogent).

Analysis of timing and traffic sources indicate that campaign #5 was a diversionary tactic to draw attention away from another part of the attack campaign – low and slow attack requests against the deprecated, legacy Web Login flow. This campaign was persistent, lasting more than 24 hours despite complete blocking on both application endpoints. Furthermore, this attack campaign attempted to fool many common browser fingerprinting techniques by reverse engineering, and trying to uniquely rotate through combinations to fool those techniques. That explosion in unique fingerprints, distributed across a long period of a day-long campaign, can be difficult to detect without proper behavioral analysis that can connect the dots, linking the campaigns and focusing on [blocking] the account takeover behavior rather than attack tool signatures.

Pandemic Impact on Loyalty Points Theft

In some customer environments, there was a dramatic uptick in attack traffic during the Covid-19 lockdown. The goal and outcome of the attack – an ATO or fake account created to execute fraud – could all be accomplished digitally. In theory, with more time on their hands due to a lockdown, the bad actors can increase their focus, which the data seems to support.

Image 2: Retail customer traffic patterns during Covid-19 shutdown.

For one of our large retail customers, we saw a very different traffic pattern. Attack traffic began to drop off at the end of March hitting lows in April (except for one week). As the nation began easing lockdown restrictions in May and allowing retail stores to open up with varied access, the attack traffic began to show an uptick. The reason? The attackers needed stores to be open. They use account takeovers to steal loyalty points and then redeem the points in the physical stores. As shown in image 2, the attack traffic peaked in March, just as the world was coming to grips with the gravity of the virus. During the height of the lockdown the attack traffic dropped significantly with a minor uptick in mid-April. As the world began to open up a bit in early May, the attack traffic began to show a slight increase. Theories for the dramatic fluctuations range from physical stores being closed, preventing the bad actors from redeeming points in-store. A separate theory is that the luxury goods sold by this retailer may not be “essential” during this health crisis. A third theory is the bad actors have gone elsewhere to look for easier attack targets.

With the recent announcement of API Sentinel, Cequence Security extends their API Security capabilities by helping organizations avoid the security gaps introduced by shadow, deprecated and non-conforming APIs with runtime inventory, risk analysis and specification conformance assessment. Learn more at cequence.ai/api-sentinel.

Matt Kiel

About the author:
Matt Keil is Director of Product Marketing for Cequence Security, and is an expert in retail sector cyber security issues and attack mitigations. Prior to joining Cequence Security, Mr. Keil was a member of the Palo Alto Networks launch team, and most recently served as Director of Product Marketing for Public Cloud. Cumulatively, Mr. Keil has approximately 20 years in enterprise network security, and was previously with NetScreen/Juniper Networks.

Subscribe to Industry Today