The mobile devices and browsers of everyday users are behind the recent spike in credential-stuffing attacks, major security technology provider Okta warns.
Okta’s Identity Threat Research team has observed a spike in credential stuffing activity against user accounts since March 2024. Hackers are using infrastructure consisting of multiple models of VPN devices.
Malicious actors route millions of requests attempting to sign in to online services using compiled lists of usernames and passwords. Those are obtained from previous data breaches of unrelated entities or from phishing or malware campaigns.
“All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR. Millions of the requests were also routed through a variety of residential proxies, including NSOCKS, Luminati, and DataImpulse,” Okta said.
The so-called residential proxies can be computers, smartphones, routers, or other devices of real users. Hackers use the compromised devices as intermediaries to connect to the internet and appear as though they’re coming from a trusted host.
“Providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” onto their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet,” Okta explains.
Recently, many mobile devices were compromised when users installed an app containing compromised software development kits (SDKs). The developers of such apps may have been tricked into unknowingly using compromised code, or they have consented to malicious activity.
Okta now offers its Workforce Identity Cloud and Customer Identity Solution customers to block access requests originating from residential proxies prior to authentication. Broader recommendations include using PassKeys as a passwordless solution, preventing users from making poor password choices, enforcing multi-factor authentication, and monitoring for anomalous sign-in behavior.
Service providers could also filter requests based on location and IP reputation,
On April 16th, Cisco warned about an increase in brute-force activity targeting virtual private networks, web application authentication interfaces, and SSH services since at least March 18th, 2024. The attackers used generic and organization-specific valid credentials.
Your email address will not be published. Required fields are markedmarked