API security and online fraud? What is the connection?

Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at University of Public Service

Created: 2022-06-24

According to Europol, online fraud is one of the major cyberthreats we face. One of the effective tools against them is a content analysis on API traffic.

Today, both our everyday experiences and objective data tell us that online fraud is one of the major cyberthreats we face. As Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2021 writes, “Criminals continue making significant profits as well-known types of online fraud continue to be effective. While criminals have not had to re-invent their modi operandi, they continue to refine them, making them more targeted and technically advanced.” Let’s focus on the last two words as we examine the tools of online fraudsters. The first notable thing is that they are using automation. An authentic-looking website in several languages can be set up in minutes, and chatbots can be used for immediate response for even the most obvious frauds. Second, cybercriminals are successfully using digital communication services, like mass SMS sending, voice-over-IP with call numbers in any country, mimicking a call center, or simply sending spam emails through unprotected mail servers. Third, as social engineering is a key to success, they often use data from previous data breaches, such as email addresses or phone numbers. Fourth, they frequently hack or simply log in to an already existing online shop with fake accounts and upload products that will never be shipped after payment.

All of these tools assume a misconfigured web-based service of an innocent organization. Many automated website creation tools, chatbots, and digital communication services can be found legally as internet services. Meanwhile, unprotected personal data, weak mail servers, and vulnerable online shops can also be found on the internet, but their services are not intentional and cannot be used legally. Unfortunately, criminals don’t care about legal use. But worse, innocent organizations either don’t care or are unaware of these problems, even though with targeted countermeasures online fraudsters would be robbed of some of their major tools. The best method of prevention is API security with fraud detection.

We know that this is not obvious at first sight, so let us explain. Let’s assume you are a service provider offering digital communication, automated marketing, or payment services. As an agile company, you are offering your service via API for your customers. Have you ever gotten a request from the local police to provide digital evidence, like logs for an investigation related to one of your users? Or have you ever been notified by the local data protection authority that an investigation had been initiated under GDPR against you, as accounts from a huge data breach in your system had been used in cybercrime due to an OWASP Top 10-like problem? Perhaps, the national CSIRT warned your ISP that your IT infrastructure is part of a botnet, operated through an API vulnerability, and that you need to take action? If the answer is yes, do you feel that the frequency of police or agency requests is rising, and you need to spend more and more human resources on this task? If the answer is no, you are one of the lucky ones, but it is still worth bearing in mind that the Federal Trade Commission’s data shows a more than 70% rise in frauds in 2021 over 2020, with online frauds in second place. In fact, we have no doubt that an affirmative answer is just a matter of time.

Luckily, cybercriminals are lazy enough to often use the same tactics, techniques, and protocols for an extended period. If organizations can filter out already known fraudulent activities at API endpoints, they can keep away illegitimate users from their services and should spend less time evidence gathering for the police or simply protecting their digital services. While traditional cyber threat intelligence can provide indicators of compromise like IP addresses, file hashes, or DNS information, they are usually not able to detect fake or stolen accounts or newly created email addresses that have been used for a service subscription. With a more thorough analysis of API traffic, not just with a network-centric focus on already known malicious IPs, TOR exit nodes or suspicious VPNs, but with a content analysis on accounts, phone numbers, social media profiles, or even the traffic origin’s device fingerprinting, cybercriminals can be identified before they can start their operation. Which is why we can safely say that fraud detection as an additional intelligence layer on API protection is a must in the fight against cybercrime.

Photo by Jefferson Santos on Unsplash.