APIs (Application Programming Interfaces) are the backbone of digital services as we transition to a direct, frictionless market where nearly everything is bought online. They silently support everything from insurance claims and retail checkouts to mobile banking and ride-hailing. Even if they facilitate smooth data interchange and real-time communication, hostile actors are taking advantage of these open data channels, which is contributing to an increase in cybersecurity threats globally.
From Q1 to Q4, cyberattacks in India increased by 20% in 2024 alone. Indusface’s AppTrana platform blocked more than 7.15 billion malicious attempts on customer sites. Indusface’s most recent Annual State of Application Security Report shows that each site had 6.9 million threats on average over the course of the year.
With 2.46 billion occurrences, distributed denial of service (DDoS) attacks continue to pose a threat to the entire world. With 30% more assaults per server than websites, APIs have become a major focus of risk. Compared to web-based DDoS occurrences, India logged 166% more API-related incidents, with 48% more bot-driven attacks. Bot activity increased by 132% during the holiday season alone, as hackers took advantage of moments of heavy traffic to compromise networks.
The 873 percent spike in assaults aimed at API vulnerabilities, which far outpaced the 94% increase in exploits related to websites, was one of the most concerning discoveries. Attacks are happening more quickly now that AI tools like ChatGPT are widely available and have made it simpler for inexperienced hackers to create and distribute harmful scripts.
Three sectors among the hardest hit
According to the analysis, attack patterns varied significantly by industry. Over a million attacks were made against each website in the retail and e-commerce industry, and the number of DDoS incidents increased tenfold as fraud bots used carding and credential stuffing techniques to take advantage of payment systems. Supply chains, ERP, and production activities were the targets of 1.37 million attacks per site in the manufacturing sector, which also saw a sixfold increase in DDoS threats. Insurance companies encountered eight times as many vulnerability assaults and 2.5 times as many bot threats in the BFSI market. This suggests that proactive, industry-specific cybersecurity measures are becoming more and more necessary.
Healthcare and SMEs face unique challenges
Every monitored healthcare website encountered bot-driven attacks in 2024, highlighting the sector’s ongoing vulnerability. These automated threats posed serious risks to patient data and hospital infrastructure.
Small and medium-sized businesses, or SMEs, were disproportionately impacted, with 236 percent more DDoS assaults against them than against large businesses. Due to their restricted access to specialized security teams and resources, they are frequently targeted for financial gain or disruption of operations.
This increase is indicative of a larger problem: organizations are implementing APIs more quickly than they are protecting them, which results in significant security flaws. A third of the more than 26,000 significant vulnerabilities that were discovered in 2024 went unpatched for more than six months, putting companies at risk.
Using various attack vectors according to industry, application kind, and firm size, cybercriminals are always changing their strategies. For instance, compared to web apps, APIs experience twice as many attacks per host. Similarly, compared to other industries, the insurance sector experiences 2.5 times as many bot attacks per app, according to Ashish Tandon, founder and CEO of Indusface.
“Investing in all-in-one, AI-powered AppSec systems that quickly adjust to these changing threats will help security teams stay ahead of the competition. But even with AI, human supervision is necessary to avoid AI hallucinations and guarantee continuous commercial operations,” Tandon continued.
