The FBI disclosed last week that cybercriminals were using residential proxies to cover their tracks and avoid being blocked during credential stuffing attacks.
The agency issued the warning as a Private Industry Notification in order to help Internet platforms counter credential stuffing attacks with proper defense mechanisms.
Credential stuffing is a type of brute-forcing attack where hackers use libraries of previously leaked username and password combinations to gain unauthorized access to a variety of online platforms.
This kind of attack only works against users who use the same login credentials (username, email address, and password) on multiple platforms. Through this method, cybercriminals can potentially access users’ accounts without deploying techniques like social engineering, phishing, or keylogging.
Since credential stuffing is a form of brute forcing, online servers could still limit these attacks through defense mechanisms like limiting the number of consecutive failed login attempts. One of the most basic types of protection also involves enforcing IP-based limitations and blocking proxy users from logging in.
However, threat actors have now started using residential proxies in order to hide their actual IP address. This allows them to continue covering their tracks and avoid IP blocklists since residential IP addresses aren’t as likely to have restrictions.
“Cyber criminals leverage proxies and configurations to mask and automate credential stuffing attacks on online customer accounts of US companies,” read the FBI’s announcement from last week. “Leveraging proxies and configurations automates the process of attempting logins across various sites and facilitates exploitation of online accounts.”
The FBI’s security advisory also listed recommended mitigation practices for administrators to defend themselves against credential stuffing and similar account cracking attacks, including:
- Enabling Multi-Factor Authentication (MFA).
- Avoid using passwords that were leaked in previous data breaches.
- Prompting users to reset their passwords if their current ones have been compromised.
- Using fingerprinting to detect suspicious activity.
- Limiting suspicious users through shadow banning.
- Monitoring for default user agent strings used by credential stuffing tools.