Identity and access management services provider Okta reported a surge in credential stuffing attacks aimed at online services via anonymizers like residential proxies and The Onion Router (Tor) network.
In credential stuffing attacks, hackers use stolen credentials — often sourced from previous data breaches, to attempt unauthorized access across multiple platforms. Bad actors usually use automated tools to input these credentials across numerous websites, hoping to capitalize on the common habit of password reuse. The strategy behind these attacks is a numbers game: by attempting enough logins, some are likely to succeed.
The company said the recent increase in attacks over the past month has been driven by the widespread availability of residential proxy services, extensive lists of stolen credentials known as “combo lists,” and scripting tools.
“All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR. Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati and DataImpulse,” Okta writes in its alert.
Residential proxies route internet traffic through the connections of actual residential users, making it appear activity is coming from a regular home IP address. This gives users anonymity and the ability to appear as if they are accessing the internet from a different location.
“Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download ‘proxyware’ into their device in exchange for payment or something else of value,” Okta explains. “At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet.”
The recent findings from Okta echo a prior advisory from Cisco, which warned about a global increase in brute-force attacks. According to Cisco Talos, these attacks have targeted a range of devices including VPN services, SSH services, and web application authentication interfaces.
To reduce the risk of credential stuffing attacks, Okta advises blocking requests from anonymizing services and IP addresses known for such activities. They also recommend following strong password practices, implementing multi-factor authentication (MFA), and opting for passwordless authentication.