Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at University of Public Service
According to Europol, online fraud is one of the major cyberthreats we face. One of the effective tools against them is a content analysis on API traffic.
Today, both our everyday experiences and objective data tell us that online fraud is one of the major cyberthreats we face. As Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2021 writes, “Criminals continue making significant profits as well-known types of online fraud continue to be effective. While criminals have not had to re-invent their modi operandi, they continue to refine them, making them more targeted and technically advanced.” Let’s focus on the last two words as we examine the tools of online fraudsters. The first notable thing is that they are using automation. An authentic-looking website in several languages can be set up in minutes, and chatbots can be used for immediate response for even the most obvious frauds. Second, cybercriminals are successfully using digital communication services, like mass SMS sending, voice-over-IP with call numbers in any country, mimicking a call center, or simply sending spam emails through unprotected mail servers. Third, as social engineering is a key to success, they often use data from previous data breaches, such as email addresses or phone numbers. Fourth, they frequently hack or simply log in to an already existing online shop with fake accounts and upload products that will never be shipped after payment.
All of these tools assume a misconfigured web-based service of an innocent organization. Many automated website creation tools, chatbots, and digital communication services can be found legally as internet services. Meanwhile, unprotected personal data, weak mail servers, and vulnerable online shops can also be found on the internet, but their services are not intentional and cannot be used legally. Unfortunately, criminals don’t care about legal use. But worse, innocent organizations either don’t care or are unaware of these problems, even though with targeted countermeasures online fraudsters would be robbed of some of their major tools. The best method of prevention is API security with fraud detection.
We know that this is not obvious at first sight, so let us explain. Let’s assume you are a service provider offering digital communication, automated marketing, or payment services. As an agile company, you are offering your service via API for your customers. Have you ever gotten a request from the local police to provide digital evidence, like logs for an investigation related to one of your users? Or have you ever been notified by the local data protection authority that an investigation had been initiated under GDPR against you, as accounts from a huge data breach in your system had been used in cybercrime due to an OWASP Top 10-like problem? Perhaps, the national CSIRT warned your ISP that your IT infrastructure is part of a botnet, operated through an API vulnerability, and that you need to take action? If the answer is yes, do you feel that the frequency of police or agency requests is rising, and you need to spend more and more human resources on this task? If the answer is no, you are one of the lucky ones, but it is still worth bearing in mind that the Federal Trade Commission’s data shows a more than 70% rise in frauds in 2021 over 2020, with online frauds in second place. In fact, we have no doubt that an affirmative answer is just a matter of time.
Luckily, cybercriminals are lazy enough to often use the same tactics, techniques, and protocols for an extended period. If organizations can filter out already known fraudulent activities at API endpoints, they can keep away illegitimate users from their services and should spend less time evidence gathering for the police or simply protecting their digital services. While traditional cyber threat intelligence can provide indicators of compromise like IP addresses, file hashes, or DNS information, they are usually not able to detect fake or stolen accounts or newly created email addresses that have been used for a service subscription. With a more thorough analysis of API traffic, not just with a network-centric focus on already known malicious IPs, TOR exit nodes or suspicious VPNs, but with a content analysis on accounts, phone numbers, social media profiles, or even the traffic origin’s device fingerprinting, cybercriminals can be identified before they can start their operation. Which is why we can safely say that fraud detection as an additional intelligence layer on API protection is a must in the fight against cybercrime.
Photo by Jefferson Santos on Unsplash.
Ez a blogposzt a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0) License feltételei mellett licencelődik.
Szilárd Pfeiffer: API security: there is nothing new under the sun
With the incredible amount of data flowing through them, the security of APIs is becoming a growing concern in the IT industry. What are the best practices and proven solutions that organizations can follow in order to ensure the security of their APIs? There is really nothing new under the sun: APIs are secured by exactly the same precautions as anything else you publish on the internet.
Gábor Pék: Trusted Types: A world without XSS
XSS, or cross site scripting, is one of the most widespread security problems today, as confirmed by statistics from bug-hunting companies such as Hackerone. Although our defenses have been significantly strengthened in recent years, this attack vector is still with us. As we move away from server rendered pages towards SPAs (Single Page Applications), we are being forced to deal with a new type of XSS attack: the DOM XSS. Gábor shares the story of the creation of Trusted Types, a new browser-based protection mechanism, and his experience with implementing it into Avatao’s Angular code base. According to a study conducted by Google, the company "has zero DOM XSS among applications migrated to Trusted Types." A great result, to be sure! But is it worth the effort?
Csaba Krasznay: Wars and Cyber Warfare in the Age of APIs
A new chapter in the security of our world opened on 24 February 2022. The term ‘our world’ must also include cyberspace, as the Ukrainian-Russian war has openly demonstrated our dependence on information systems and the vulnerability of this ecosystem. Although the news of the war is still concerned with conventional armed clashes, more and more information is available concerning the activities and tools of the various state and non-state hacker groups. Companies can prepare for the re-emphasis on cyber operations as the battles in physical space subside, with the difference that perhaps less significance will be placed on financial gain and far more on destruction. Most of enterprise IT has already migrated to the cloud and solutions that exchange data through APIs, which have have become widespread. However, the rapid transition has focused on efficiency rather than cybersecurity. It is no coincidence that, according to Gartner, APIs are expected to be the most attacked interfaces in 2022.