FBI Warns Proxies, Configurations Seen in More Credential Stuffing Attacks
Attackers are using proxies and configurations to mask and automate credential stuffing attacks on US companies, the FBI warns.
Credential stuffing - the act of using stolen or leaked usernames and passwords to try and log in to various accounts - isn't new or even that sophisticated but recent actions taken by cybercriminals has prompted the FBI to warn the public about an uptick in attacks.
In particular, attackers are using proxies and configurations to make their attacks more covert, specifically by masking the true source of an attack and through automation, something which makes the process of logging into various sites and exploiting that access, quicker.
The FBI warned about the actions of cybercriminals in a Private Industry Notification, Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts, released last Thursday.
Unlike a brute force attack, in which multiple, usually random, passwords are tried against multiple accounts, credential stuffing is more orchestrated and relies on stolen or previously compromised user credentials to log into services. Because users occasionally use the same login and password for the same account, finding a working combination can afford attackers access to a variety of services.
The alert is primarily based around two websites recently uncovered by the FBI, with help from the Australian Federal Police, that were found hosting a slew of credentials.
The sites contained 300,000 unique sets of credentials and boasted over 175,000 customers from which it made over $400,000 in sales, according to the FBI. Some of the name and password combinations were purchased from cybercrime forums and other specialized websites. Also for sale: Configurations, customized tools that contain the website in which to use the credentials, how to form the HTTP request, how to determine whether or not a login has been successful, and whether or not a proxy is needed to shroud the attempt.
Proxies, as the FBI notes, obfuscate IP addresses as not to raise a red flag with security protocols in place on sites and services.
The rest of the alert digs into other ways attackers can attempt to bypass protocols - by logging into a service's mobile app, by using packet capture software, and by relying on dedicated servers to carry out attacks.
While the news is interesting, what will likely prove more beneficial to defenders are the tips that the FBI gives around preventing such attacks.
Many are no doubt already employed by organizations but for the uninitiated, the FBI recommends:
- Enabling MFA
- Encouraging users not to use passwords that have been compromised. Websites like HaveIBeenPwned.com keep a running list of passwords that have appeared in data breaches.
- Download credential lists – like pastes, information posted to sites like Pastebin – to verify whether any of your organization’s credentials are present.
- Research and consider fingerprinting, shadow banning, and tools that can identify and monitor for user agent strings that can be used by credential stuffing attacks.
- Ensure both your web-based and mobile application have the same security protections
- Use Secure Socket Layer (SSL) pinning, something which makes it harder for tools to track API requests
- See if any account cracking configurations geared towards to your company’s website exist online
- Use cloud protection services to detect and block suspicious traffic
- Don't use CAPTCHA as a standalone solution to defend against credential stuffing