FBI warns of residential proxies used in credential stuffing attacks – BleepingComputer

Posted on by

The Federal Bureau of Investigation (FBI) warns of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks without being tracked, flagged, or blocked.

The warning was issued as a Private Industry Notification on the Bureau's Internet Crime Complaint Center (IC3) late last week to raise awareness among internet platform admins who need to implement defenses against credential stuffing attacks.

Credential stuffing is a type of attack where threat actors use large collections of username/password combinations exposed in previous data breaches to try and gain access toother online platforms.

Because people commonly use the same password at every site, cybercriminals have ample opportunity to take over accounts without cracking passwords or phishing any other information.

"Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries to include media companies, retail, healthcare, restaurant groups and food delivery to fraudulently obtain goods, services, and access other online resources such as financial accounts at the expense of legitimate account holders," details the FBI's announcement.

Because credential stuffing attacks carry specific characteristics that differentiate them from regular login attempts, websites can easily detect and stop them.

To override basic protections, the FBI warns that threat actors are using residential proxies to hide their actual IP address behind ones commonly associated with home users, which are unlikely to be present in blocklists.

Proxies are online servers that accept and forward requests, making it appear like a connection is from them rather than the actual initiator (attacker).

Residential proxies are preferable over data center-hosted proxies because they make it harder for protection mechanisms to discern between suspicious and regular consumer traffic.

Typically, these proxies are made available to cybercriminals by hacking legitimate residential devices such asmodems or other IoTsorthrough malwarethat converts a home user's computer into a proxy without their knowledge.

Using these tools, cybercriminals automate credential stuffing attacks, with bots attempting to log in across numerous sites using previously stolen login credentials.

Moreover, some of these proxy tools offer the option to brute-force account passwords or include "configs" that modify the attack to accommodate particular requirements, like having a unique character, minimum password length, etc.

The FBI says credential stuffing attacks are not limited to websites and have been seen targeting mobile applications due to their poor security.

"Cyber criminals may also target a companys mobile applications as well as the website," warns the FBI advisory.

"Mobile applications, which often have weaker security protocols than traditional web applications, frequently permit a higher rate of login attempts, known as checks per minute (CPMs), facilitating faster account validation."

In a joint operation involving the FBI and the Australian Federal Police, the agencies investigated two websites that contained over 300,000 unique sets of credentials obtained through credential stuffing attacks.

The FBI says these websites counted over 175,000 registered users and generated over $400,000 in sales for their services.

FBI's advisory urges administrators to follow certain practices to help protect their users from losing their accounts to credential stuffing attacks, even when they use weak passwords.

The key points include:

Regular users can protect themselves by activating MFA on their accounts, using strong and unique passwords, and remaining vigilant against phishing attempts.

Read more:

FBI warns of residential proxies used in credential stuffing attacks - BleepingComputer

Related Posts
This entry was posted in $1$s. Bookmark the permalink.