Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts
The FBI sheds light on important details about the proxies and configurations used by cybercriminals to hide and automate credential stuffing attacks on US companies, resulting in financial losses associated with fraudulent purchases, notifications to customers, system downtime and fixes, and reputational damage. Credential stuffing attacks, commonly known as account takeovers, apply valid username and password combinations, also known as user credentials or “combined lists”, from previously compromised online resources or data leaks. Malicious actors using valid user credentials have the potential to gain access to many accounts and services across multiple industries – including media companies, retail, healthcare, restaurant groups and food delivery – to fraudulently obtain goods, services and access other online resources such as financial accounts at the expense of legitimate account holders.
The FBI thanks the Australian Federal Police for their assistance in collecting the information included in this Private Industry Notice.
Cybercriminals use proxies and setups to hide and automate credential stuffing attacks on US companies’ online customer accounts. Credential stuffing, a type of brute force attack that exploits user credentials leaked from a website breach or purchased from dark web credential selling websites, pulls take advantage of the fact that many users reuse usernames and passwords across multiple accounts and services. The use of proxies and configurations automates the process of trying to login to different sites and makes it easier to exploit online accounts. In particular, media companies and restaurant groups are seen as lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place. to these types of accounts.
Many publicly accessible websites offer compromised account credentials from popular online services for sale. Two of these websites investigated by the FBI and the Australian Federal Police contained more than 300,000 unique sets of credentials obtained through credential stuffing. The websites had over 175,000 registered customers and over $400,000 in sales. In addition to “combo lists” purchased from cybercriminal forums and websites dedicated to account takeover, cybercriminals can acquire setups or “configs,” which facilitate attacks by customizing credential stuffing tools to gain access to a site. Particular target web. The configuration can include the address of the website to target, how to form the HTTP request, how to differentiate a successful login attempt from an unsuccessful login attempt, whether proxies are needed, etc. it’s relatively easy to learn how to hack accounts using credential stuffing and other techniques.
Actors may choose to use proxies purchased from proxy services, including legitimate proxy service providers, to help circumvent a website’s defenses by masking actual IP addresses, which may be individually blocked or originate from certain geographic regions. To successfully execute credential stuffing attacks, cybercriminals have largely relied on the use of residential proxies, which are connected to residential Internet connections and are therefore less likely to be identified as anomalous. Existing security protocols do not block or flag home proxies as often as proxies associated with data centers. In some cases, actors conduct credential stuffing attacks without using a proxy, which requires less time and financial resources to execute. Some hacking tools, including one of the most popular automated attack tools, allow actors to run software without a proxy.
Cybercriminals can also target a company’s mobile apps as well as the website. Mobile apps, which often have weaker security protocols than traditional web apps, often allow for a higher rate of login attempts, known as checks per minute (CPM), facilitating faster account validation. Cybercriminals leverage packet capture software, such as Wireshark3, Burp Suite4, or Fiddler5 to record and understand the authentication mechanism used by the targeted website and/or mobile app. This allows the cybercriminal to create a custom configuration for credential stuffing activities. Other cybercriminals purchase setups created by others or obtain them from hacking forums. Cybercriminals used dedicated hosted servers to execute credential stuffing attacks.