Credential Stuffing Attacks

Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services.

These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the company said in an alert published Saturday.

The findings build on a recent advisory from Cisco, which cautioned of a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.

"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos noted at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.


Okta said its Identity Threat Research detected an uptick in credential stuffing activity against user accounts from April 19 to April 26, 2024, from likely similar infrastructure.

Credential stuffing is a type of cyber attack in which credentials obtained from a data breach on one service are used to attempt to sign in to another unrelated service.

Alternatively, such credentials could be extracted via phishing attacks that redirect victims to credential harvesting pages or through malware campaigns that install information stealers on compromised systems.

"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR," Okta said.

"Millions of the requests were also routed through a variety of residential proxies including NSOCKS, and DataImpulse."

Residential proxies (RESIPs) refer to networks of legitimate user devices that are misused to route traffic on behalf of paying subscribers without their knowledge or consent, thereby allowing threat actors to conceal their malicious traffic.

This is typically achieved by installing proxyware tools on computers, mobile phones, or routers, effectively enrolling them into a botnet that's then rented to customers of the service who desire to anonymize the source of their traffic.

"Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download 'proxyware' into their device in exchange for payment or something else of value," Okta explained.

"At other times, a user device is infected with malware without the user's knowledge and becomes enrolled in what we would typically describe as a botnet."

Last month, HUMAN's Satori Threat Intelligence team revealed over two dozen malicious Android VPN apps that turn mobile devices into RESIPs by means of an embedded software development kit (SDK) that included the proxyware functionality.

"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers," Okta said.

To mitigate the risk of account takeovers, the company is recommending that organizations enforce users to switch to strong passwords, enable two-factor authentication (2FA), deny requests originating from locations where they don't operate and IP addresses with poor reputation, and add support for passkeys.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.