Credential Stuffing by Proxy

10796817259?profile=RESIZE_400xThe US Federal Bureau of Investigation (FBI) has issued a Private Industry Notification warning of malicious cyber actors using proxies and configurations for credential stuffing attacks on organizations within the United States.

See:  https://www.ic3.gov/Media/News/2022/220818.pdf

Credential stuffing is a form of brute force attack and shares many of the same commonalities that exploit leaked user credentials or ones purchased on the Dark Web that takes advantage of the fact that many individuals reuse usernames and passwords across multiple online accounts.  Proxies and configurations allow cybercriminals to hide and automate credential stuffing attacks across several accounts.  The FBI points out that media companies and restaurant groups are particularly interested in threat actors because of the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these accounts.[1]

The FBI and the Australian Federal Police investigated two publicly available websites that sell compromised credentials from popular online services.  They found them to contain over 300,000 unique credentials obtained through credential stuffing attacks.  The two sites had over 175,000 registered customers and over $400,000 in sales.

In addition to these lists being available, cybercriminals can purchase proxies and configurations.  The FBI discusses why proxies can be a popular choice:

"Actors may opt to use proxies purchased from proxy services, including legitimate proxy service providers, to bypass a website's defenses by obfuscating the actual IP addresses, which may be individually blocked or originate from certain geographic locations regions.

In executing successful credential stuffing attacks, cybercriminals have relied extensively on residential proxies connected to residential internet connections and therefore are less likely to be identified as abnormal."

"Cyber criminals can acquire configurations or 'configs,' which facilitate attacks by customizing credential stuffing tools to access a particular target website.  The config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc."

The FBI has six specific recommendations for end-users to defend against these types of attacks:

  • Enable multi-factor authentication (MFA). MFA adds additional protection against credential stuffing attacks and is particularly helpful when a login request derives from an unusual location, such as an unexpected country.
  • Educate users to avoid choosing passwords that have appeared in data breaches. Multiple websites maintain databases of breached usernames and passwords. Require all accounts to have strong, unique passphrases. Passphrases should not be reused across multiple accounts.
  • Download publicly available credential lists, test them against your customer accounts, and force password resets for customer accounts that use compromised credentials.
  • Use fingerprinting. Fingerprinting allows websites to analyze information about clients to detect unusual activity, like attempts by a single IP address to log into several different accounts.
  • Research and consider implementing shadow banning. When a user is shadowbanned, their activities, which are not propagated to other users or system data, do not impact the system. Because shadow banning limits users' activities in a way that is not apparent, the user is unaware their access is limited. Shadowing banning can prevent account crackers from determining the legitimacy of credentials used during a login attempt when combined with fingerprinting. Ideally, shadow banning should be configured so that response times to requests from banned and non-banned IPs are indistinguishable.
  • Identify and monitor default user agent strings used by credential stuffing attack tools.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization, and this analyst does not necessarily agree with the above analysis.  But we all see things differently.  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989   

 

[1] https://www.secureworld.io/industry-news/fbi-proxies-credential-stuffing/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!