The Federal Bureau of Investigation (FBI) warned about the prevalent use of proxies and configurations to mask and automate credential stuffing attacks. Threat actors extensively leveraged residential proxies instead of those connected to data centers to avoid triggering suspicious behavior monitors, warned the FBI.
“Credential stuffing attacks, commonly referred to as account cracking, apply valid username and password combinations, also known as user credentials or “combo lists,” from previously compromised online resources or data leaks,” the FBI explained.
The FBI’s Internet Crime Center (IC3), assisted by the Australian Federal Police, issued the Private Industry Notification to warn potential victims of credential stuffing attacks.
According to the agency, the attacks mainly targeted media companies, retail, healthcare, restaurant, and food delivery companies. Their impact include financial losses from fraudulent purchases, system downtimes, customer notifications, and reputational damage.
Valid credentials from credential stuffing attacks on sale on public websites
The FBI observed two publicly-accessible websites with over 175,000 registered customers. The surface websites were selling over 300,000 unique sets of credentials stolen via credential stuffing attacks, having transacted over $400,000.
Additionally, cybercriminals sold hacking configurations targeting specific websites and password-cracking tools to other attackers on the dark web.
The configs contained the target website address, how to form an HTTP request, determine successful or unsuccessful attempts, and whether login proxies were necessary.
Similarly, they provided video tutorials on the dark web and social media, teaching others how to breach accounts via credential stuffing attacks and other methods.
“Attackers are reaching a new level of sophistication well beyond what passwords and even MFA can handle alone,” said Gunnar Peterson, CISO at Forter. “This is because the attacks target the access control and identity provisioning layers to bypass protections that surround company data and accounts.”
Mobile applications are more vulnerable to credential stuffing attacks
The FBI warned that attackers targeted both websites and mobile applications. However, mobile apps are easier to crack because they have weaker security protocols.
Additionally, mobile apps allowed more login attempts, increasing the number of checks per minute (CPMs), thus guaranteeing faster validation of stolen login credentials.
The FBI observed that threat actors frequently used Burp Suite, Fiddler, and Wireshark to understand the authentication mechanism of websites and mobile applications.
Hackers use residential proxies to circumvent website defenses
FBI says threat actors leverage proxies and configurations to attack companies’ mobile applications or websites.
Attackers purchased residential proxies to hide an IP address that websites would block for originating from specific geographical regions.
The alert stated that attackers prefer residential proxies because they generate less suspicious activity than proxies connected to data centers. Thus, security protocols rarely block or flag residential proxies compared to their data center counterparts.
“In executing successful credential stuffing attacks, cyber-criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal,” the agency observed.
Hackers usually obtain residential proxies by hacking vulnerable networking devices such as routers and IoT devices without the owners’ knowledge.
FBI’s recommendations on credential stuffing attacks
The FBI recommended enabling multi-factor authentication (MFA) as an additional layer to defend against credential stuffing attacks, especially from unusual or unexpected countries.
The agency also encouraged online services to apply digital fingerprinting techniques to detect when one user or IP address attempts to log in across multiple accounts.
Websites and mobile apps should also apply shadow-banning, which limits users’ access to an account without apparent signs. Shadow banning prevents an attacker from determining the legitimacy of stolen valid credentials.
Additionally, website and mobile application operators should monitor user agent strings used in credential stuffing tools and block them.
Organizations should also search for account-cracking configurations tailored for their websites and change the target website’s configurations to render the configs ineffective.
Lastly, website operators should avoid solely relying on CAPTCHAs to prevent credential stuffing attacks because attackers could effortlessly solve CAPTCHAs using automated tools.
“When an attacker can leverage a password, account profile reset, or MFA prompt for malicious purposes, the company’s protective layer falls away,” Peterson added. “This means that technologies like fingerprinting and account takeover monitoring are more important than they have ever been.”
According to Ralph Pisani, President of Exabeam, the cybersecurity industry must rethink the use of passwords to stop attacks before they succeed.
“Credentials are supposed to be the castle’s front gates – they are the new perimeter, but SOCs still fail to detect credential-based attacks,” Pisani said.
He recommended “proper education, feedback loops, visibility, and effective technical capabilities” to address leaked credentials.
“The recent privacy industry notification by the U.S. FBI is a stark reminder that organizations and their website users still have a lot to learn about effective password safety,” said Neil Jones, director of cybersecurity evangelism, Egnyte.
“Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization’s remote access solution to view corporate users’ ID details or to email systems to impersonate your legitimate employees.”
