Identity and access management (IAM) services provider Okta has warned of an increase in the "frequency and scale" of credential stuffing assaults directed at online businesses.
These extraordinary attacks, noticed over the last month, are believed to be enabled by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the business said in an alert published Saturday.
The findings expand on a recent statement from Cisco, which cautioned of a global spike in brute-force attacks targeting multiple devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos stated at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, SonicWall, as well as routers from Draytek, MikroTik, and Ubiquiti.
Okta stated its Identity Threat Research noticed an upsurge in credential stuffing activities against user accounts from April 19 to April 26, 2024, from presumably comparable infrastructure.
Credential stuffing is a sort of cyber attack in which credentials obtained from a data breach on one service are used to attempt to sign in to another unrelated service.
Alternatively, such credentials could be extracted via phishing attacks that link victims to credential harvesting pages or by malware operations that install information stealers on infected systems.
"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR," Okta stated.
"Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati, and DataImpulse."
Residential proxies (RESIPs) refer to networks of legitimate user devices that are misused to route traffic on behalf of paying customers without their knowledge or agreement, hence allowing threat actors to mask their malicious traffic.
This is often performed by installing proxyware programs on computers, mobile phones, or routers, thereby enrolling them into a botnet that's then rented to consumers of the service who seek to anonymize the source of their traffic.
"Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download 'proxyware' into their device in exchange for payment or something else of value," Okta added.
"At other times, a user device is infected with malware without the user's knowledge and becomes enrolled in what we would typically describe as a botnet."
Last month, HUMAN's Satori Threat Intelligence team identified over two dozen malicious Android VPN apps that turn mobile devices into RESIPs by use of an embedded software development kit (SDK) that incorporated the proxyware capabilities.
"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers," Okta added.
To mitigate the risk of account takeovers, the company is recommending that organizations enforce users to switch to strong passwords, enable two-factor authentication (2FA), deny requests originating from locations where they don't operate and IP addresses with poor reputation, and add support for passkeys.
