The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.
Creedential stuffing attacks, also called account cracking, involve trying to access online accounts using username and password combinations from existing data leaks or which were purchased on dark web portals.
Relying on the fact that users often reuse the same logins for multiple accounts, credential stuffing attacks often lead to significant financial losses caused by fraudulent purchases and system downtime and remediation, but also result in reputational damage.
The use of valid credentials allows cybercriminals to access accounts and services across a variety of industries, including media companies, healthcare, retail chains, restaurant groups, and food delivery firms.
Once accounts are compromised, the attackers make fraudulent purchases of goods and services, and also attempt to access additional online resources, including financial accounts, the FBI said in an advisory [PDF].
Proxies and configurations, the Bureau warns, allow cybercriminals to automate the brute-forcing and exploitation of accounts.
“In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts,” the FBI said.
The agency warned that cybercriminals can purchase ‘combo lists’ of usernames and passwords from dedicated forums and websites, along with configurations or ‘configs’, which allow them to customize credential stuffing tools for specific targets.
The config may include the website’s address, HTTP request format, how to recognize successful attempts, whether proxies are required, and the like. The FBI also warns that cybercriminals can access video tutorials to learn how credential stuffing can be used to crack accounts.
Working with the Australian Federal Police, the FBI said it identified two websites selling more than 300,000 unique sets of credentials to more than over 175,000 registered customers.
To bypass defenses, threat actors may employ proxies, including legitimate proxy services, to obfuscate their actual IP addresses. According to the FBI, cybercriminals have extensively used residential proxies to execute credential stuffing attacks, as these are blocked less frequently compared to proxies associated with data centers.
“In some instances, actors conduct credential stuffing attacks without the use of proxies, requiring less time and financial resources to execute. Some cracking tools, including one of the most popular automated attack tools, allow actors to run the software without proxies,” the FBI added.
In some observed attacks, a company’s mobile applications are also targeted, as they often have weaker security protocols and may permit a higher rate of login attempts. Using packet capture software, the attackers learn about the authentication mechanism employed by the target, and then create custom configurations for credential stuffing activities.
To mitigate such attacks, the FBI recommends that organizations enable multi-factor authentication (MFA), educate users on good password hygiene, use fingerprinting to detect unusual activity, implement shadow banning (limiting user access), use strong security protocols in mobile applications, check online for configurations tailored for their websites and for compromised user credentials, and employ cloud protection services.