The Federal Bureau of Investigation (FBI) warns of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks without being tracked, flagged, or blocked.
The warning was issued as a Private Industry Notification on the Bureau’s Internet Crime Complaint Center (IC3) late last week to raise awareness among internet platform admins who need to implement defenses against credential stuffing attacks.
Credential stuffing is a type of attack where threat actors use large collections of username/password combinations exposed in previous data breaches to try and gain access to other online platforms.
Because people commonly use the same password at every site, cybercriminals have ample opportunity to take over accounts without cracking passwords or phishing any other information.
“Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries – to include media companies, retail, healthcare, restaurant groups and food delivery – to fraudulently obtain goods, services, and access other online resources such as financial accounts at the expense of legitimate account holders,” details the FBI’s announcement.
Use of residential proxies
Because credential stuffing attacks carry specific characteristics that differentiate them from regular login attempts, websites can easily detect and stop them.
To override basic protections, the FBI warns that threat actors are using residential proxies to hide their actual IP address behind ones commonly associated with home users, which are unlikely to be present in blocklists.
Proxies are online servers that accept and forward requests, making it appear like a connection is from them rather than the actual initiator (attacker).
Residential proxies are preferable over data center-hosted proxies because they make it harder for protection mechanisms to discern between suspicious and regular consumer traffic.
Typically, these proxies are made available to cybercriminals by hacking legitimate residential devices such as modems or other IoTs or through malware that converts a home user’s computer into a proxy without their knowledge.
Using these tools, cybercriminals automate credential stuffing attacks, with bots attempting to log in across numerous sites using previously stolen login credentials.
Moreover, some of these proxy tools offer the option to brute-force account passwords or include “configs” that modify the attack to accommodate particular requirements, like having a unique character, minimum password length, etc.
The FBI says credential stuffing attacks are not limited to websites and have been seen targeting mobile applications due to their poor security.
“Cyber criminals may also target a company’s mobile applications as well as the website,” warns the FBI advisory.
“Mobile applications, which often have weaker security protocols than traditional web applications, frequently permit a higher rate of login attempts, known as checks per minute (CPMs), facilitating faster account validation.”
In a joint operation involving the FBI and the Australian Federal Police, the agencies investigated two websites that contained over 300,000 unique sets of credentials obtained through credential stuffing attacks.
The FBI says these websites counted over 175,000 registered users and generated over $400,000 in sales for their services.
What admins should do
FBI’s advisory urges administrators to follow certain practices to help protect their users from losing their accounts to credential stuffing attacks, even when they use weak passwords.
The key points include:
Offer MFA (multi-factor authentication) and encourage or even enforce its adoption by all accounts.
Download widely available leaked credentials and compare them to customer accounts to find matches and force password resets.
Use fingerprinting checks to ensure the person trying to log in is the account’s owner.
Identify and monitor default user agent strings used by credential stuffing attack tools.
Search and discover what configurations proxy tools use for your website, and implement targeted changes to render them worthless.
Implement “shadow-banning” to limit what suspicious users/accounts can do on the platform without blocking them.
Regular users can protect themselves by activating MFA on their accounts, using strong and unique passwords, and remaining vigilant against phishing attempts.