Identity and access management (IAM) provider Okta has warned of a spike in the “frequency and scope” of credential stuffing attacks targeting online services.
These unprecedented attacks, observed over the past month, are said to be facilitated “by the widespread availability of residential proxy services, lists of previously stolen credentials (“combined lists”), and scripting tools,” the company said in an advisory published on Saturday.
The findings build on a recent advisory from Cisco, which warned of a global increase in brute-force attacks targeting various devices, including virtual private network (VPN) services, web application authentication interfaces, and SSH services, at least starting March 18, 2024. .
“These attacks appear to all originate from TOR exit nodes and a number of other anonymized tunnels and proxies,” Talos noted at the time, adding that the targets of the attacks include VPN devices from Cisco, Check Point, Fortinet, SonicWall and other routers from Draytek, MikroTik and Ubiquiti.
Okta said its identity threat research found an increase in credential stuffing activity against user accounts from April 19 to April 26, 2024, from likely similar infrastructure.
Credential stuffing is a type of cyber attack in which credentials obtained from a data breach on one service are used to attempt to access another, unrelated service.
Alternatively, such credentials could be extracted via phishing attacks that redirect victims to credential harvesting pages, or via malware campaigns that install information stealers on compromised systems.
“All of the recent attacks we have observed share one characteristic in common: they rely on requests that are routed through anonymization services like TOR,” Okta said.
“Millions of requests were also routed through a variety of residential proxies including NSOCKS, Luminati and DataImpulse.”
Residential Proxies (RESIPs) refer to networks of legitimate user devices that are misused to route traffic on behalf of paying subscribers without their knowledge or consent, thus allowing threat actors to hide their malicious traffic .
This is typically achieved by installing proxyware tools on computers, cell phones, or routers, effectively enrolling them in a botnet that is then rented to customers of the service who wish to anonymize the source of their traffic.
“Sometimes a user’s device becomes enrolled in a proxy network because the user knowingly chooses to download ‘proxyware’ onto their device in exchange for a payment or something else of value,” Okta explained.
“Other times, a user’s device becomes infected with malware without their knowledge and is enrolled in what we would normally describe as a botnet.”
Last month, HUMAN’s Satori Threat Intelligence team revealed over two dozen malicious Android VPN apps that turn mobile devices into RESIP via an embedded software development kit (SDK) that included proxyware functionality.
“The net result of this activity is that the majority of traffic in these credential stuffing attacks appears to come from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” Okta said.
To mitigate the risk of account takeover, the company recommends organizations force users to switch to strong passwords, enable two-factor authentication (2FA), deny requests from locations where they don’t operate, and IP addresses with poor reputation and add support for passkeys.