Telecoms is a prime target for attacks against Application Programming Interfaces (APIs) due to the sensitive data they access. The number one form of attack is a Broken Object Level Authorisation (BOLA) attack, as listed in the OWASP Top 10, which sees items such as phone numbers, email addresses, or first names, etc changed in some way, perhaps by a digit in the phone number, to perform an account takeover (ATO) or other form of fraud.
Subscribe today for free
The connectivity news and insights that matter - straight to your inbox
Recently, several major tier-one telecom operators with worldwide networks have been hit by BOLA attacks against their APIs. While we can’t name names, sharing how these attacks are manifesting and how they can be combatted is vital in improving defences.
In the case of one operator, 22m access requests were made against six of its APIs to exploit API endpoints. The attackers went after the APIs used to facilitate device trade-ins such as phones or tablets, for instance, and sought to submit fraudulent trade-in orders by manipulating the International Mobile Equipment Identity (IMEI) numbers.
By generating and validating the IMEIs to discover valid numbers, the attackers were then able to manipulate the telecom’s trade-in program. Having accessed the ordering system, they went on to assign a higher net worth to low-end or aged devices which they planned to trade in at the expense of the operator.
Hiding in plain sight
Detecting such attacks is problematic because despite the high volumes involved the malicious calls were blended in with regular traffic. ‘Clean’ proxies with residential IP addresses from the target’s primary business country were used, allowing the malicious traffic to seamlessly blend with legitimate user requests. This allowed the requests to bypass traditional IP-based defences which rely upon IP reputation databases to determine if traffic should be blocked.
In addition, the attack was timed to occur during business hours to further allay suspicions. Most anomaly detection systems will look for spikes of activity that don’t conform to peak usage times when high traffic volumes are expected, revealing the level of sophistication attackers are now using when carrying out bot attacks.
Trying to tackle these kinds of attacks is a real issue for operators because rather than simply using a security solution it requires a multi-layered approach to defence. All of the operators that were found to be fending off such BOLA attacks had in place Google’s Apigee API Gateway, a popular platform for developing and managing APIs, but in order to detect and defend against these subtle forms of attack they also required unified API protection which takes a behaviour-based approach.
Tracking the attack
For example, to identify the IMEI testing, the use of clean proxies, and the assaults during business hours, the operator needed to use behavioural analysis. Performing deep packet inspection and traffic analysis it was able to spot key indicators such as the systematic trialling of IMEI numbers, traffic routing patterns, and of course the timing of the attacks. By analysing session identifiers and bearer tokens, it was possible to see which tokens were being reused in the API requests, track the bot’s movement over the APIs and determine its origin.
But detection is of course only part of the solution. Arresting the attack is paramount but this can often lead to disruption, impacting the user experience, which can damage customer confidence and the operator’s reputation. This can be avoided by adding custom headers to HTTP requests and responses which allows the operator to monitor API traffic in real time and track the suspicious requests. Countermeasures can then be implemented which in the case of the operator outlined above saw the implementation of more defined blocking policies but other courses of action could include the use of rate limiting or deception to exhaust the resources of the attacker.
As attacks become more nuanced it’s clear that operators will have to adopt solutions that look not just at origins or volumes but behaviour. It’s these consistent attack patterns that give the game away, allowing the defender to use techniques such as header injection to watch the attack play out in real-time, identify the attacker’s end goals and prevent them from achieving them.
RELATED STORIES
How carriers can ensure robust API security measures
Singtel, Bridge Alliance to launch regional telco API exchange