The Federal Bureau of Investigation (FBI) has released a cybersecurity advisory highlighting details about proxies and configurations leveraged by malicious actors to musk and automate credential stuffing attacks on organizations that lead to financial losses associated with fraudulent purchases, customer notifications, system downtime and remediation, as well as reputational damage.
Credential stuffing attack is a type of brute force attack that uses compromised credentials leaked in a data breach or obtained through dark web markets. By using valid credentials cyber criminals can access accounts or services across multiple industries, including healthcare, retail, etc.
“In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts,” the advisory says.
Working together the FBI and the Australian Federal Police identified two websites that offered for sale compromised credentials, which contained more than 300,000 unique sets of credentials obtained via credential stuffing. The websites had over 175,000 registered customers and over $400,000 in sales.
In addition to “combo lists” (valid username and password combinations) malicious actors use configurations or “configs” to gain access to a particular target website. The config may include the website address to target, details on how to form HTTP request, how to determine a successful attempt, whether proxies needed, etc.
“In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques. Actors may opt to use proxies purchased from proxy services, including legitimate proxy service providers, to facilitate bypassing a website’s defenses by obfuscating the actual IP addresses, which may be individually blocked or originate from certain geographic regions,” the FBI says.
The security advisory also provides recommendations to help organizations and businesses prevent credential stuffing attacks. The recommended defensive measures include: enabling multi-factor authentication (MFA); educating users to avoid choosing passwords that have appeared in data breaches; forcing password resets for customer accounts that use compromised credentials; using such techniques as fingerprinting to detect unusual activity; implementing shadow banning; monitoring for default user agent strings used by credential stuffing attack tools; ensuring that both web-based access and mobile applications have the same, up-to-date security protections; using Secure Socket Layer (SSL) pinning in mobile applications; and employing cloud protection services.