The FBI is highlighting significant details about proxies and configurations used by cyber criminals to mask and automate credential stuffing attacks on US companies, resulting in financial losses associated with fraudulent purchases, customer notifications, system downtime and remediation, as well as reputational damage. Credential stuffing attacks, commonly referred to as account cracking, apply valid username and password combinations, also known as user credentials or “combo lists”, from previously compromised online resources or data leaks. Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries – to include media companies, retail, healthcare, restaurant groups and food delivery – to fraudulently obtain goods, services and access other online resources such as financial accounts at the expense of legitimate account holders.
The FBI acknowledges the Australian Federal Police for their assistance collecting the information included in this Private Industry Notification.
Cyber criminals leverage proxies and configurations to mask and automate credential stuffing attacks on online customer accounts of US companies. Credential stuffing, a type of brute force attack that exploits leaked user credentials from a website breach or purchased on dark web credential selling websites, takes advantage of the fact that many users reuse usernames and passwords across multiple accounts and services. Leveraging proxies and configurations automates the process of attempting logins across various sites and facilitates exploitation of online accounts. In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts.
Numerous publicly accessible websites offer for sale compromised account credentials from popular online services. Two such websites investigated by the FBI and the Australian Federal Police were found to contain over 300,000 unique sets of credentials obtained via credential stuffing. The websites had over 175,000 registered customers and over 400,000 USD in sales. In addition to “combo lists” purchased from cyber criminal forums and websites dedicated to account cracking, cyber criminals can acquire configurations or “configs”, which facilitate attacks by customizing credential stuffing tools to gain access to a particular target website. The config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc. In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.
Actors may opt to use proxies purchased from proxy services, including legitimate proxy service providers, to facilitate bypassing a website’s defenses by obfuscating the actual IP addresses, which may be individually blocked or originate from certain geographic regions. In executing successful credential stuffing attacks, cyber criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal. Existing security protocols do not block or flag residential proxies as often as proxies associated with data centers. In some instances, actors conduct credential stuffing attacks without the use of proxies, requiring less time and financial resources to execute. Some cracking tools, including one of the most popular automated attack tools, allow actors to run the software without proxies.
Cyber criminals may also target a company’s mobile applications as well as the website. Mobile applications, which often have weaker security protocols than traditional web applications, frequently permit a higher rate of login attempts, known as checks per minute (CPMs), facilitating faster account validation. Cyber criminals leverage packet capture software, such as Wireshark3 , Burp Suite4 , or Fiddler5 to record and gain an understanding of the authentication mechanism employed by the targeted website and/or mobile application. This allows the cyber criminal to craft a custom configuration for credential stuffing activities. Other cyber criminals buy configurations created by others or obtain them from hacking forums. Cyber criminals have employed dedicated, hosted servers to execute credential stuffing attacks.