Are we paying enough attention to API security?


Is API security on the radar of most IT teams? It’s arguably still not as high on the priority list as it should be. Consider this: an Imperva/Marsh McLennan study from 2022 claimed that vulnerable and unsecured APIs cause up to 7.5% of global “cyber events and losses”, and cost businesses an estimated $75bn annually.

The experts I spoke to for an upcoming feature highlighteed complexity, visibility gaps and skills shortages as key barriers to enhanced API security. As digital transformation initiatives push on across the globe, the need to fill these gaps will only increase.

Out of control

APIs are essential to digital projects, connecting as they do applications to backend databases. But by the same token, if compromised, they could be used to provide a neat pathway to exfiltrate corporate and customer data.

“APIs that aren’t closely monitored can easily fall victim to high-volume attacks such as brute force login attempts and enumeration techniques. They are also often easily identified, are web accessible, and each of their methods documented,” Bridewell Consulting senior pen tester, Andy Tyler, told me.

“Once an attacker knows how to interact with your API they can quickly hunt for vulnerabilities; from authentication issues, to injection attacks, or access control misconfigurations. All of these can lead to sudden data theft on a large scale.”

In fact, that happened to T-Mobile USA last year. Although full details of the incident are yet to be released, the firm admitted in January that an attacker took data on 37 million customers via an API.

For Forrester analyst, Sandy Carielli, security teams and tools have been slow to catch up, even as the number of APIs has exploded.

“A lot of the traditional web app security tools didn’t support APIs, leaving holes in the protection – even as API security has evolved and more solutions are available, organisations struggle to understand what combination of tools and processes are needed,” she told me.

“The tools and processes exist to counter this threat, but many organizations struggle due to the newness of the technology and the number of APIs in their organization. It’s not uncommon for enterprises to have tens of thousands or even hundreds of thousands of customer and partner facing APIs – and they may not have a good grasp of what those APIs are and what they do.”

Bridewell’s Tyler agrees, but thinks things are improving.

“The tools and testing techniques needed for assessing APIs have only more recently reached maturity. Automated scanners in particular are still very poor at identifying API security issues, which can lead to false negative results for those organisations running their own checks,” he said.

“Many of us in this industry are working to demystify many of the API-specific issues for the organisations we work with and we have seen great improvements in their overall API security approaches.”

Out of the loop

As is so often the case, API risk seems to have been allowed to snowball because security isn’t brought in early enough in the software development lifecycle.

“Unfortunately, many organisations have little to no oversight over their APIs given the pace of application development and the lack of visibility security teams have into development practices,” Imperva director of technology, Peter Klimek, told me.

“For example, APIs are often released into production before security teams can review and catalogue them. Such inadequate security practices lead to both ‘shadow’ APIs – an API that isn’t cataloged and is therefore invisible to the security team – and  “zombie” APIs, which haven’t been  properly disabled and are still accessible. Both of these can be a potential breeding ground for cyber-criminal activity.”

There’s no silver bullet to the challenge of escalating, API-driven cyber risk. But shifting security left, and protecting right through layered measures including encryption, API gateways, web app firewalls and zero trust approaches would seem like a good place to start.


How scammers are capitalising on the SVB collapse

This piece was first published on ESET’s We Live Security site.

cyber attack

Big news events and major crises usually trigger an avalanche of follow-on phishing attempts. The COVID-19 pandemic and Russia’s invasion of Ukraine are perhaps the most obvious examples, but the most recent one is the collapse of Silicon Valley Bank (SVB). The mid-sized US lender and a key financer of tech start-ups held tens of billions of dollars’ worth of assets when it went bust last week after succumbing to a bank run.

Although the US government stepped in days later to guarantee customers would be able to access their money, the damage was done – and even if you or your business wasn’t affected by the bank’s meltdown, you could still be at risk of cybercrime that exploits such events for nefarious gains.

Ambulance-chasing phishing and business email compromise (BEC) attempts are already hitting inboxes across the globe. Once you’ve weathered the storm, there’s plenty of takeaways that can be used to build a more resilient security awareness program going forward.

The story so far

There’s nothing new in scammers piggy-backing on news events to improve their success rates. But the SVB case has several ingredients that make it arguably a more attractive lure than the norm. These include:

  • The fact that there’s lots of money at stake: SVB had an estimated US$200 billion in assets when it went bust.
  • Extreme anxiety from corporate customers worried about how to pay the bills if they can’t access their assets, and of individuals concerned about whether they’d get paid.
  • Confusion over exactly how customers can get in touch with the failed lender.
  • The fact that the collapse came after the fall of Signature Bank, sparking even more anxiety about the whereabouts of funds and the health of the financial system.
  • SVB’s global reach – including a UK arm and various affiliated businesses and offices across Europe. This expands the pool of potential scam victims.
  • The BEC angle: as many SVB corporate customers will be informing their partners of bank account changes, it offers the perfect opportunity for fraudsters to step in first with their own details.

When something like this happens, it’s not unusual to see multiple domains registered by firms looking to offer legitimate loans or legal services to the ailing bank’s customers. It can be difficult to discern the authentic from those registered for nefarious ends.

There’s a long list of newly-registered lookalike domains that may try to deceive people in the future.

SVB phishing attempts

As always, phishing attempts focus on classic social engineering techniques such as:

  • Using a breaking news story to lure the recipient in
  • Spoofing SVB or other brands to gain recipient trust
  • Creating a sense of urgency to force recipients to act without thinking – not hard given the circumstances surrounding the collapse
  • Including malicious links/attachments to harvest information or steal funds

Some phishing attempts have focused on stealing the details of SVB customers – possibly to either sell on the dark web or to create a phishing list of targets to hit with future scams. Others have embedded more sophisticated methods of stealing cash from victims.

One effort uses a fake reward program from SVB claiming all holders of stablecoin USDC will get their money back if they click through. However, the QR code the victim is taken to will compromise their cryptocurrency wallet account.

A separate lure with the same QR-related crypto-stealing end goal used an announcement by USDC issuer Circle as its starting point. The firm said USDC would be redeemable 1:1 with the dollar, prompting the creation of new phishing sites with a Circle USDC claims page.

SVB BEC threats

As mentioned, this news event is also slightly unusual in providing the perfect conditions for BEC attacks to flourish. Finance teams are going to be legitimately approached by suppliers that previously banked with SVB and that have now switched financial institutions. As a result, they’ll need to update their account details. Attackers could use this confusion to do the same, impersonating suppliers with modified account payee details.

Some of these attacks may be sent from spoofed domains, but others may be more convincing, with emails that have been sent from legitimate but hijacked supplier email accounts. Organizations without sufficient fraud checks in place could end up mistakenly sending money to scammers.

How to avoid SVB and similar scams

Phishing and BEC are increasingly common. The FBI Internet Crime Report 2022 details over 300,000 phishing victims last year, cementing its status as the most popular cybercrime type of all. And BEC made scammers over US$2.7bn in 2022, making it the second highest-grossing category. Consider the following to stay safe from the scammers:

  • Be cautious about unsolicited messages received by email, SMS, social media etc. Try to independently verify them with the sender before deciding whether to reply.
  • Don’t download anything from an unsolicited message, click on any links or hand over any sensitive personal information.
  • Look for grammatical mistakes, typos etc. that can indicate a spoofed message.
  • Hover over the email sender’s display name – does it look authentic?
  • Switch on two-factor authentication (2FA) for all online accounts.
  • Use strong and unique passwords for all accounts, ideally stored in a password manager.
  • Regularly patch or switch on automatic updates for all devices.
  • Report anything suspicious to the corporate security team.
  • Importantly, ensure you have up-to-date security software on all your devices from a reputable provider.

For BEC specifically:

  • Check with a colleague before changing account details/approving payments for new accounts
  • Double check any requests for account updates with the requesting organization: don’t reply to their email, verify independently from your records

From a corporate IT security perspective:

  • Run continuous, regular phishing training exercises for all staff, including simulations of currently trending attacks
  • Consider gamification techniques which may help reinforce good behaviors
  • Build BEC into staff security awareness training
  • Invest in advanced email security solutions that include anti-spam, anti-phishing and host server protection and protect threats from even reaching their targets
  • Update payment processes so that large wire transfers must be signed off by multiple employees

We all need to be on the lookout for unexpected emails or calls – mainly those coming from a bank and requiring urgent action. Never click a link and input your banking login credentials nor give them over the phone at any time. To access your banking information, use your bank’s official website.