Cybersecurity firm Okta reports a spike in ‘brute-force’ credential-stuffing attacks over the last month. This follows earlier reports of a spike in ‘brute force’ credential-stuffing attacks reported last week.
Increasingly sophisticated ‘brute force’ attacks use trial and error techniques to crack passwords, login credentials, and encryption keys. New life is now also being breathed into what is essentially an old hacking technique, with widely available software using artificial intelligence (AI) that can carry out large numbers of attempts automatically.
From April 19 to April 26, 2024, Okta’s Identity Threat Research team observed a spike in credential-stuffing activity against user accounts. According to Okta, several factors are facilitating the recent increase in the frequency and scale of credential-stuffing attacks targeting online services.
One is the ready availability of previously stolen credentials for sale on criminal forums. But the other major driver is the current broad availability of residential proxy services. All recent attacks observed by Okta rely on requests being routed through anonymizing services such as TOR.
Devices affected without users’ knowledge
Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone, or router of a real user and proxy traffic through the IP of these devices to anonymize the source of the traffic. A user device is often enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a device is infected with malware without the user’s knowledge and becomes enrolled in a botnet.
“More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network,” says Okta.
Okta concludes, therefore, that most of the traffic in the current rise in credential stuffing attacks appears to originate from the mobile devices and browsers of everyday users.
