Cybercriminals are relying on residential proxies to cover their tracks and avoid being blocked in exhaustive credential stuffing attacks, the FBI has disclosed.
The agency issued the warning as a Private Industry Notification to help Internet platforms counter credential stuffing attacks with appropriate defense mechanisms.
Credential stuffing is a type of brute-forcing attack where perpetrators use libraries of previously leaked username and password combinations to gain unauthorized access to various online platforms.
This attack only works against users who input the same credentials (username, email address and password) into several services. In this case, attackers can breach their accounts without social engineering, phishing, keylogging or other devious techniques.
Since it’s a form of brute forcing, online services could deter credential stuffing attacks via mitigation mechanisms such as limiting the number of consecutive failed login attempts. One of the most basic types of protection involves enforcing IP-based limitations and blocking proxy users from logging in.
However, perpetrators have now resorted to residential proxies to cloak their actual IP address. This lets attackers continue covering their traces unhampered and avoid blocklists since residential IP addresses are less likely to be restricted.
“Cyber criminals leverage proxies and configurations to mask and automate credential stuffing attacks on online customer accounts of US companies,” reads the FBI’s announcement. “Leveraging proxies and configurations automates the process of attempting logins across various sites and facilitates exploitation of online accounts.”
The FBI’s security advisory also suggests mitigation practices for administrators to defend against credential stuffing and similar account cracking attacks:
Specialized software such as Bitdefender Digital Identity Protection can keep you safe against data breaches and attacks that leverage them with features like:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024