Cybercriminals use proxies and configurations to launch credential stuffing attacks

The Federal Bureau of Investigation (FBI) have spotted cybercriminals using proxies and configurations to launch credential stuffing attacks against US companies.

Credential stuffing cyberattacks, also known as account cracking, is when a cybercriminal uses stolen usernames and passwords from one organization (such as from a previous data breach) to access user accounts in another organization.

“Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries – to include media companies, retail, healthcare, restaurant groups and food delivery – to fraudulently obtain goods, services and across multiple industries,” the FBI warned in the online notification August 12.

As a result of the attacks, organizations have suffered financial losses, reputational damage, and system downtime, among other challenges.

“In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts,” The FBI added.

In one example, the FBI and the Australian Federal Police discovered over 300,000 unique sets of account/password combos stolen via credential stuffing. The websites had over 175,000 registered customers and over $400,000 in sales.

Recommended mitigations

The report highlights multiple good mitigations to defend against account cracking attacks, such as:

  • Don’t share passwords across websites.
  • Enable multi-factor authentication (MFA).
  • Organizations can download publicly available credential lists and test them against their customer accounts. Force password resets for customer accounts that have been found compromised in previous breaches.
  • Use fingerprinting to analyze information about clients in order to detect unusual activity.
  • Identify and monitor for default user agent strings used in cyberattacks.
  • Keep software up-to-date.
  • Use Secure Socket Layer (SSL) pinning in mobile applications.
  • Employ cloud protection services, such as content delivery networks (CDNs), to help detect and block suspicious traffic.

Related Articles