How Automated API Attacks Are the Digital Equivalent of Mockingbirds

July 25, 2022 | by Jason Kent

Automated API Attacks Mockingbird

My Father’s Day plans involved sitting in my hammock, listening to the birds and enjoying the fruits of my labors. Then I heard a curious bird call and decided to see what species it was.

The Merlin App is one of my favorite apps for bird identification, it can take a picture of a bird and identify it. Similarly, it can use your microphone to perform audio analysis and recognition of bird calls which it then displays back to you. The odd sound I heard was identified as a Summer Tanager.

Merlin Sound Record - Automated API Attacks

The Merlin app told me this is a rare bird, and I was excited to have a bird that I had never observed in my back yard. Beaming, I looked at the other birds in the analysis. I have a nice little flock of song sparrows and love to hear them, the mourning doves are always around, the Robins rid my yard of the earthworm menace and pick all the fruit before I can. Using my binoculars, I spotted the resident Mockingbird in his favorite tree.

While watching him sing, the Merlin app was recording the Mockingbird and the app identified a song that I had not heard before. The Merlin analysis told me it was a Belted Kingfisher, which is odd because I don’t have their usual habitat. The app then told me I had a Yellow-Breasted Chat, a very rare bird for my area. My excitement was squashed when I realized I had been victimized by the ultimate imposter. The Northern Mockingbird was mimicking each of these bird calls perfectly. The only way I was able to determine the bird species that I was hearing was to see it. Or not.

Merlin Mockingbird Sound - Automated API Attacks

Separating Legitimate and Malicious Signals

One of the key things we do here at Cequence Security is to sit in-line and analyze inbound web and API traffic. Much like the Merlin app, our goal is to identify what the traffic is. Comparing this type of Mockingbird based attack to an automated attack on an API endpoint isn’t that hard to do.

Here we have this data coming to us. In standard analysis, we can see that this attacker is exhibiting 28 different user behaviors. Even a seasoned analyst might believe the data analysis and think they have a group of rare and unusual users. But as the saying goes, “whom you going to believe, the data or your own lying eyes”? I was watching the Mockingbird as it made the Belted Kingfisher’s sound. The data in front of me from 28 different users but it was coming from a single IP address – meaning it’s likely to be malicious.

Contrary to this behavior is the behavior of a recent attack at one of our customers. The attacker had obtained thousands of names and credit card numbers with Expiry, but the data set did not include the CVVs leaving them with 2 choices. Find the CVV and profit from the use of the cards to purchase items or, find the CVV and resell the list for more as this is now a vetted list of names, cards and CVVs.

To find the CVV, the attacker can create an account on a retail platform and buy something. Entering a random CVV will tell them if they guessed correctly. It’s a tad noisy though as most retail systems have follow-on systems to track orders that get abandoned or cancelled. Another technique is to place multiple $0 orders and enumerate the CVV until the correct one popped out. The attack would make too much noise and the $0 value technically wouldn’t generate any red flags or pop up on anyone’s screen. So, our first mock is for the $0 order. And to maintain anonymity the attacker mocks the IP address. Like the Yellow-Breasted Chat call I thought I heard, these transactions all appear to be legitimate traffic until more in-depth analysis is performed.

The first giveaway that this is Mockingbird traffic is the use of proxy infrastructure. Blocking policies for the $0 transactions are put in place, resulting in the blocking of unrelated attacks from the cheap proxy infrastructure. Like a Mockingbird that changes its tune as needed, our bad actor pivots to purchasing $0 gift cards and goes on to figure out if certain countries are blocked. The auditory cat and mouse game goes on and on, almost as annoying as the Mockingbird perched high in a Pine tree.

This attacker is utilizing operational timeframes that don’t fit the norm, finding times the solution is online or ready for an order. In each one of these cases, through all the changes in infrastructure, behavior, tools, and credentials, we knew it was that little Mockingbird all along.

Jason Kent

Jason Kent

Hacker in Residence

Additional Resources

New Research Discovers More Than 30% of All Malicious Attacks Target Shadow APIs. Learn more Arrow icon