Akamai Technologies has released a new State of The Internet (SOTI) report titled ‘Lurking in the Shadows: Attack Trends Shine Light on API Threats’. The research highlights the array of attacks that are hitting APIs, including traditional web attacks, and the regions most at risk.
Akamai’s data, which tracks API attack traffic from January through December 2023, reveals that in 2023, the Europe, Middle East and Africa (EMEA) region experienced the highest percentage of API attacks on a global basis at 47.5% - by far exceeding the next closest region, North America at 27.1%. Within EMEA, the countries with the highest percentage of API attacks include Spain (94.8%), Portugal (84.5%), the Netherlands (71.9%), and Israel (67.1%).
Akamai researchers found that the commerce industry had the highest percentage of overall web attacks that impacted organizations at 74.6%, which is more than twice the percentage of the next closest vertical, the high-tech industry, at 35.5%. This is partially due to the complex nature of the commerce ecosystem, their high reliance on APIs, and the valuable data organizations in this sector possess.
Other key EMEA findings of the report include:
· Consistent with the global trend, HTTP Protocol and Structured Query Language Injection (SQLi) attacks have been the predominant attack vectors for APIs in EMEA during the last 12 months.
· During the same reporting period, 40% of the nearly four trillion suspicious bot requests were aimed at APIs.
· Cross-Site Scripting (XSS) remains a favoured technique for API attacks, and Command injection (CMDi) is also prevalent.
“Commerce organisations have a complex and dynamic attack surface, affecting both servers and clients. The sector's infrastructure is difficult to secure as it includes IoT devices that use web applications and APIs to drive online conversions and deliver the customer experience that modern consumers expect. As a result, the industry is an attractive target for cybercriminals, who are targeting vulnerabilities, design flaws and security gaps to abuse web-facing servers and applications,” said Richard Meeus, EMEA Director of Security Technology and Strategy at Akamai.
“Although commerce is not as heavily regulated as the financial services or healthcare industries, it still needs to focus on security, as attacks can be far more punishing to the bottom line." Commerce organisations need to ensure they have complete visibility into API activity, using behavioural analytics to detect complex threats and improve detections by analysing historical data.”