Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks

The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.

The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.

Creedential stuffing attacks, also called account cracking, involve trying to access online accounts using username and password combinations from existing data leaks or which were purchased on dark web portals.

Relying on the fact that users often reuse the same logins for multiple accounts, credential stuffing attacks often lead to significant financial losses caused by fraudulent purchases and system downtime and remediation, but also result in reputational damage.

The use of valid credentials allows cybercriminals to access accounts and services across a variety of industries, including media companies, healthcare, retail chains, restaurant groups, and food delivery firms.  

Once accounts are compromised, the attackers make fraudulent purchases of goods and services, and also attempt to access additional online resources, including financial accounts, the FBI said in an advisory [PDF].

Proxies and configurations, the Bureau warns, allow cybercriminals to automate the brute-forcing and exploitation of accounts.

[ READ: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ]

“In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts,” the FBI said.

The agency warned that cybercriminals can purchase ‘combo lists’ of usernames and passwords from dedicated forums and websites, along with configurations or ‘configs’, which allow them to customize credential stuffing tools for specific targets.

The config may include the website’s address, HTTP request format, how to recognize successful attempts, whether proxies are required, and the like. The FBI also warns that cybercriminals can access video tutorials to learn how credential stuffing can be used to crack accounts.

Working with the Australian Federal Police, the FBI said it identified two websites selling more than 300,000 unique sets of credentials to more than over 175,000 registered customers.

To bypass defenses, threat actors may employ proxies, including legitimate proxy services, to obfuscate their actual IP addresses. According to the FBI, cybercriminals have extensively used residential proxies to execute credential stuffing attacks, as these are blocked less frequently compared to proxies associated with data centers.

[ READ: Why Are Users Ignoring Multi-Factor Authentication? ]

“In some instances, actors conduct credential stuffing attacks without the use of proxies, requiring less time and financial resources to execute. Some cracking tools, including one of the most popular automated attack tools, allow actors to run the software without proxies,” the FBI added.

In some observed attacks, a company’s mobile applications are also targeted, as they often have weaker security protocols and may permit a higher rate of login attempts. Using packet capture software, the attackers learn about the authentication mechanism employed by the target, and then create custom configurations for credential stuffing activities.

To mitigate such attacks, the FBI recommends that organizations enable multi-factor authentication (MFA), educate users on good password hygiene, use fingerprinting to detect unusual activity, implement shadow banning (limiting user access), use strong security protocols in mobile applications, check online for configurations tailored for their websites and for compromised user credentials, and employ cloud protection services.

Related: NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies

Related: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack

Related: Credential Stuffing: a Successful and Growing Attack Methodology

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.