FBI: Cybercriminals Using Proxies for Credential Stuffing Attacks

The U.S. Federal Bureau of Investigation (FBI) has issued a Private Industry Notification warning of malicious cyber actors using proxies and configurations for credential stuffing attacks on organizations within the United States.

Credential stuffing—a brute force attack that exploits leaked user credentials or ones purchased on the Dark Web—takes advantage of the fact that many individuals reuse usernames and passwords across multiple online accounts.

Proxies and configurations allow cybercriminals to hide and automate credential stuffing attacks across several accounts. The FBI points out that media companies and restaurant groups are of particular interest to threat actors because of the number of customer accounts, the general
demand for their services, and the relative lack of importance users place on these types of accounts.

Proxies and configurations used for cyberattacks

The FBI, along with the Australian Federal Police, investigated two publicly available websites that sell compromised credentials from popular online services. They found them to contain over 300,000 unique sets of credentials obtained through credential stuffing attacks. The two sites had over 175,000 registered customers and over $400,000 in sales. 

In addition to these lists being available for purchase, cybercriminals can purchase proxies and configurations. The FBI discusses why proxies can be a popular choice:

"Actors may opt to use proxies purchased from proxy services, including legitimate proxy service providers, to facilitate bypassing a website's defenses by obfuscating the actual IP addresses, which may be individually blocked or originate from certain geographic regions.

In executing successful credential stuffing attacks, cyber criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal."

It also explains the appeal of configurations:

"Cyber criminals can acquire configurations or 'configs', which facilitate attacks by customizing credential stuffing tools to gain access to a particular target website. The config may include the website address to target, how to form the HTTP request, how to
differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc."

FBI recommendations to defend against credential stuffing

The FBI has six specific recommendations for end-users to defend against these types of attacks:

• Enable multi-factor authentication (MFA). MFA adds additional layers of protection against credential stuffing attacks and is particularly helpful when a login request derives from an unusual location, such as an unexpected country.
• Educate users to avoid choosing passwords that have appeared in data breaches. Multiple websites maintain databases of breached usernames and passwords. Require all accounts to have strong, unique pass phrases. Pass phrases should not be reused across multiple accounts.
• Download publicly available credential lists, test them against your customer accounts, and force password resets for customer accounts that use compromised credentials.
• Use fingerprinting. Fingerprinting allows websites to analyze information about clients in order to detect unusual activity, like attempts by a single IP address to log into several different accounts.
• Research and consider implementing shadow banning. When a user is shadow banned, their activities, which are not propagated to other users or to system data, do not impact the system. Because shadow banning limits users' activities in a way that is not apparent, the user is unaware their access is limited. When utilized in conjunction with
  fingerprinting, shadow banning can prevent account crackers from determining the legitimacy of credentials used during a login attempt. Ideally, shadow banning should be configured so that response times to requests from banned and non-banned IPs are
  indistinguishable.
• Identify and monitor for default user agent strings used by credential stuffing attack tools.

See the Private Industry Notification from the FBI for more information.