The number of web attacks around the world is surging, with APIs emerging as the primary target.
In total, there were 311 billion web attacks in 2024, up 33% on the year before. Europe, the Middle East and Africa accounted for 62 billion of these attacks - up 16% year-on-year.
More than 230 billion web attacks targeted commerce organizations, making it the most impacted industry, with nearly three times as many attacks as the second most attacked sector, high technology.
According to Akamai's State of Apps and API Security 2025 report, more than a third of web attacks targeted APIs, with 150 billion API attacks from January 2023 through December 2024.
The report noted that AI is expanding attack surfaces and introducing new security challenges, thanks to the integration of AI-driven tools with core platforms via APIs.
Most AI-powered APIs are externally accessible and many rely on inadequate authentication mechanisms - something criminals are taking advantage of.
"AI is transforming web and API security, enhancing threat detection but also creating new challenges," said Rupesh Chokshi, senior vice president and general manager of Akamai’s Application Security Portfolio.
The research also revealed a dramatic rise in Layer 7 (application-layer) distributed denial-of-service (DDoS) attacks against web applications and APIs.
Quarterly attack volumes nearly doubled year-over-year between the first quarter of 2023 and the end of 2024 - indeed, there were 1.1 trillion in December 2024 alone.
This growth, Akamai said, is due to the growing sophistication of bot-driven attacks, the persistence of HTTPS flooding as a primary attack vector, and the prevalence of Layer 7 DDoS attacks targeting the high technology industry.
Here, the most affected industry was the high technology sector, with seven trillion Layer 7 DDoS attacks between January 2023 and December 2024.
Other findings of the report included a rise of 32% in Open Worldwide Application Security Project (OWASP) API Security top 10–related incidents, with authentication and authorization flaws exposing sensitive data and functionality.
Security alerts related to the MITRE security framework were also up by 30%, as attackers move to advanced techniques such as automation and AI to exploit APIs.
Similarly, shadow and zombie APIs - outdated interfaces that remain active because of incomplete decommissioning, staff turnover, or other reasons - are often missed in inventories, making them particularly vulnerable.
Indeed, the research indicated that one-third of malicious API transactions target shadow APIs.
MORE FROM ITPRO
-
What to look out for at RSAC Conference 2025Analysis Convincing attendees that AI can revolutionize security will be the first point of order at next week’s RSA Conference – but traditional threats will be a constant undercurrent
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reportedNews Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
