Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks

The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.

The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.

Creedential stuffing attacks, also called account cracking, involve trying to access online accounts using username and password combinations from existing data leaks or which were purchased on dark web portals.

Relying on the fact that users often reuse the same logins for multiple accounts, credential stuffing attacks often lead to significant financial losses caused by fraudulent purchases and system downtime and remediation, but also result in reputational damage.

The use of valid credentials allows cybercriminals to access accounts and services across a variety of industries, including media companies, healthcare, retail chains, restaurant groups, and food delivery firms.  

Once accounts are compromised, the attackers make fraudulent purchases of goods and services, and also attempt to access additional online resources, including financial accounts, the FBI said in an advisory [PDF].

Proxies and configurations, the Bureau warns, allow cybercriminals to automate the brute-forcing and exploitation of accounts.

[ READ: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ]

“In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts,” the FBI said.

Advertisement. Scroll to continue reading.

The agency warned that cybercriminals can purchase ‘combo lists’ of usernames and passwords from dedicated forums and websites, along with configurations or ‘configs’, which allow them to customize credential stuffing tools for specific targets.

The config may include the website’s address, HTTP request format, how to recognize successful attempts, whether proxies are required, and the like. The FBI also warns that cybercriminals can access video tutorials to learn how credential stuffing can be used to crack accounts.

Working with the Australian Federal Police, the FBI said it identified two websites selling more than 300,000 unique sets of credentials to more than over 175,000 registered customers.

To bypass defenses, threat actors may employ proxies, including legitimate proxy services, to obfuscate their actual IP addresses. According to the FBI, cybercriminals have extensively used residential proxies to execute credential stuffing attacks, as these are blocked less frequently compared to proxies associated with data centers.

[ READ: Why Are Users Ignoring Multi-Factor Authentication? ]

“In some instances, actors conduct credential stuffing attacks without the use of proxies, requiring less time and financial resources to execute. Some cracking tools, including one of the most popular automated attack tools, allow actors to run the software without proxies,” the FBI added.

In some observed attacks, a company’s mobile applications are also targeted, as they often have weaker security protocols and may permit a higher rate of login attempts. Using packet capture software, the attackers learn about the authentication mechanism employed by the target, and then create custom configurations for credential stuffing activities.

To mitigate such attacks, the FBI recommends that organizations enable multi-factor authentication (MFA), educate users on good password hygiene, use fingerprinting to detect unusual activity, implement shadow banning (limiting user access), use strong security protocols in mobile applications, check online for configurations tailored for their websites and for compromised user credentials, and employ cloud protection services.

Related: NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies

Related: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack

Related: Credential Stuffing: a Successful and Growing Attack Methodology

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.