Application Programming Interfaces (APIs) are the essential connective tissue for modern applications, but their growing prevalence has also made them a primary target for cybercriminals. A recent Cequence Security report reveals the scale of this issue, finding that 70% of the 21.1 billion transactions they analyzed were API-based. This explosion in API traffic is accompanied by a significant rise in automated attacks and malicious bot activity.

According to Jason Kent, Hacker-in-Residence at Cequence Security, attackers are exploiting APIs in sophisticated ways that mirror historical web application vulnerabilities, but with greater potential for direct impact on back-end services.

Top API Attack Vectors

The report highlights several dominant attack trends. Account takeovers are a major threat, with one documented campaign against online retailers seeing a 2,800% increase in attacks aimed at gift card fraud. Another prevalent method is application fraud, where attackers use automation to submit thousands of fraudulent applications, such as for loans. In one case, threat actors used 3,000 email sub-accounts to file 45,000 fake loan requests. Shopping cart scams, including “scrape for resale” schemes, also represent a significant threat to e-commerce platforms.

The Foundation of API Defense: Discovery

While machine-learning models can help detect attacks, Kent emphasizes that the most critical element of any API security program is discovery. Organizations must have a complete and current inventory of all their APIs. A common and dangerous oversight is leaving older API versions active and exposed. For example, while an application may have moved to version 16, attackers can often find and exploit vulnerabilities in forgotten versions 15, 14, or even version 1. Understanding exactly what is active and functional is the foundational first step to securing the expanding API attack surface.