Defending The Gig Economy Against API Attacks

Uploaded on 2025-02-03 in TECHNOLOGY-Key Areas-Artificial Intelligence, TECHNOLOGY--Resilience, FREE TO VIEW

DeepSeek, the Chinese Large Language Model (LLM), has exploded onto the AI scene disrupting the nascent market. The open source technology has made available the blueprint to train its models and delivers generative AI (GenAI) computing at a fraction of the cost of its rivals due to lower power consumption.

The net effect of those differences is that DeepSeek will democratise GenAI, making it much easier for organisations to harness and benefit from the technology. 

One of the sectors expected to benefit significantly from a more accessible and affordable GenAI is the gig economy. Renowned for its disruptive start-ups, the sector is defined by the UK government as  involving “the exchange of labour for money between individuals or companies via digital platforms that actively facilitate matching between providers and customers, on a short-term and payment-by-task basis”. GenAI could help these businesses become more intuitive and efficient by matching freelancers and clients, interpreting feedback and translating it into action, and generating content, allowing companies to find more opportunities and deliver better results to clientele. 

However, LLMs are not infallible. DeepSeek succumbed to a ‘large scale malicious attack’ that forced the company to temporarily suspend new registrations at the end of January, although it was able to quickly recover. But this has refocused attention on the susceptibility of the technology to attack and comes hard on the heels of numerous other stories concerning skewed results, hallucinations and data leakage, all of which could prove crippling for businesses who come to rely on it heavily. 

Attack Paths

These issues have been documented by the OWASP industry group which has a project specifically devoted to LLM security and has just updated its Top 10 for LLM Applications for 2025. The list covers the most critical exploits and vulnerabilities associated with the technology, including sensitive information disclosure, supply chain attacks and unbounded consumption.

Many of these issues can see the abuse of an integral component in the way GenAI works: the Application Programming Interface (API).

APIs are essential for LLMs to connect to one another and access data in lightning quick time. They’re also the reason why we have a gig economy in the first place, as they facilitate the provision of real-time services and the processing of payments, as well as connecting together all of the ecosystem players.

So not only does GenAI need APIs, so too does the gig economy, meaning both should be prioritising API security.

In addition, we need to remember that threat actors will also be leveraging GenAI technology to orchestrate attacks. The technology can allow the attacker to ‘humanise’ their assault, making it much more difficult for the business to detect rogue activity.

Effects On Gig Businesses

Such attacks against gig economy APIs could have devastating consequences. If we consider ride sharing and delivery platforms, for example, these use APIs to facilitate real-time matching between drivers and customers. Attacks against these via GenAI could see the use of advanced scraping techniques to extract pricing data, or AI-powered bots to simulate customer requests, overwhelming the platform’s systems. 

Similarly, job marketplace platforms that seek to match recruiters with candidates could see AI used to generate fake jobs and manipulate proposals or to automate scraping of sensitive freelancer information, enabling competitors to undercut prices or steal business. 

Online staffing agencies could see GenAI technologies used to automate job application fraud or even hijack worker accounts, submitting fraudulent claims for job completions or manipulating availability slots. Tutoring platforms could be subjected to fake tutoring sessions, see payment structures manipulated or refund systems abused, all through APIs that handle transactions, communications, and scheduling. And content creation platforms could see attackers create massive bot networks to siphon off ad revenue or manipulate engagement metrics like views or likes.

Such attacks could prove devastating, damaging customer trust, causing loss of revenue and ceding market share so it’s vital these gig economy businesses adopt comprehensive API security strategies. They need to be able to combat the scraping, prevent account takeover, mitigate payment fraud, block business logic abuse and protect against the creation of fraudulent postings and interactions all powered by GenAI. 

Countering Attacks

The problem they have today is that many are using traditional application defence solutions which are wrong tool for the job for three reasons.

  • Firstly, they rely on embedding code into end-user applications and devices which can allow attackers to conduct reverse engineering or bypass these systems altogether by using AI-generated scripts that mimic human behaviour.
  • Secondly, they are designed for end user interactions, not API calls, so will struggle to detect AI-automated bots performing scraping or volumetric attacks.
  • Finally, these solutions are reactive, slow, and ineffective in recognising the complex patterns and subtle behaviours that are the main giveaway when it comes to GenAI-enabled attacks.

Countering these attacks against gig economy APIs will therefore require a more comprehensive, API-specific approach. These businesses will need to use advanced bot management that utilises machine learning to detect abnormal scraping patterns and block them in real-time, particularly when it comes to blocking GenAI attacks that mimic humans. They’ll need to leverage entity behaviour analytics in order to recognise suspicious login attempts and stop account takeover attempts. And they’ll need to monitor payment behaviours for anomalies and use machine learning to detect and block fraudulent activities so that only genuine requests are allowed to pass through.

There’s little doubt that the GenAI market is moving fast and likely to act as a major enabler for the gig economy. But it also has the power to be hugely destructive when that technology is used for malicious purposes.

Gig economy businesses and their ecosystem of partners will need to reappraise their business models in the wake of these forces and grapple with the threat posed to their APIs otherwise they run the risk of being ill equipped to fight off such attacks.

James Sherlow is Systems Engineering Director, EMEA, Cequence Security

Image: 

You Might Also Read: 

Testing APIs Against The OWASP LLM Top 10:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Multiple Cyber Security Problems For Manufacturers 

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Exploit Database (EDB)

Exploit Database (EDB)

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

Alliance for Cyber Security (ACS)

Alliance for Cyber Security (ACS)

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

SEON Technologies

SEON Technologies

At SEON we strive to help online businesses reduce the costs, time, and challenges faced due to fraud.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

Blue Lance

Blue Lance

Blue Lance is a global provider of cybersecurity governance solutions. Our software solutions automatically collect and store the information necessary for investigations, audit and compliance.

FAIR Institute

FAIR Institute

The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.

Dr Web

Dr Web

Since 1992 the Russian anti-virus Dr.Web has been helping companies to keep their digital assets protected and operate in a secure digital environment.

Security Risk Management (SRM)

Security Risk Management (SRM)

SRM provide a comprehensive security risk management service encompassing people, processes, technology, governance, compliance and risk management.

Cymune

Cymune

At Cymune we help businesses to fight against cybercrime, protect patented data and diminish security risks.

Flare Systems

Flare Systems

Flare proactively detects and remediates exposure across the clear & dark web, providing organizations with the equivalent of an automated cyber reconnaissance team.

M.Tech

M.Tech

M.Tech is a leading cyber security and network performance solutions provider. We work with leading vendors to bring optimal solutions to the market through a channel of reseller partners.

Sirti

Sirti

Sirti is Italy's leading technology company in the design and production of network infrastructures and telecoms system integration.

Astran

Astran

At Astran, we revolutionize data security by introducing a groundbreaking solution for data confidentiality headaches.

Bestman Solutions

Bestman Solutions

As a specialist cyber security practice, we believe that people are an organisation’s most valuable asset. Success depends on hiring the right people, and this is where we come in.