Cyber-criminals are increasingly hijacking home IP addresses to hide credential stuffing activity and increase their chances of success, the FBI has warned.
Credential stuffing is a popular method of account takeover whereby attackers use large lists of breached username/password 'combos' and try them across numerous sites and apps simultaneously to see if they work. As many individuals reuse their credentials, they often do.
Working credentials can then be sold to others for initial access. The FBI and Australian Federal Police claim to have found two websites containing over 300,000 unique sets of credentials obtained via credential stuffing. The sites had over 175,000 registered customers and made over $400,000 in sales, the FBI said.
However, website owners can detect this suspicious activity if they know what to look for. This is where residential proxies come in. By compromising home routers or other connected technology, attackers can route their efforts through benign-looking IPs to trick network defenders.
“In executing successful credential stuffing attacks, cyber-criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal,” the FBI said in its Private Industry Notification.
“Existing security protocols do not block or flag residential proxies as often as proxies associated with datacenters.”
As well as combo lists, malicious actors buy configurations, or 'configs,' and other tools on underground sites to help improve success rates.
“The config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc,” the notice explained.
“In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.”
The FBI recommended a multi-layered approach to mitigate the threat of credential stuffing.
A report from May last year claimed there were 193 billion credential stuffing attempts during 2020, with financial services the top target. However, the FBI warned that media companies and restaurant groups are also a popular choice for would-be hackers.