Okta reported an “unprecedented scale” of credential stuffing attacks targeting its identity and access management solutions, resulting in the breach of some customer accounts.
Threat actors employ credential stuffing techniques like password-spraying and brute-forcing to compromise user accounts by systematically trying lists of usernames and passwords in an automated fashion. These lists are often obtained from other data leaks, phishing and infostealer campaigns, or from underground cybercriminal forums where it is sold from a few tens to thousands of dollars.
“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools,” Okta said in a Saturday advisory.
The identity and access management provider said the attacks appear to stem from the same infrastructure used in previously reported brute-force and password-spraying attacks targeting VPNs and SSH services identified by Cisco Talos.
Use of TOR in Credential Stuffing Attacks
Okta noted that in all observed attacks the requests originated from a TOR anonymization network and various residential proxies, such as NSOCKS, Luminati and DataImpulse.
Residential proxies are a network of proxy servers that use IP addresses from residential users. They are useful for anonymous browsing, bypassing geo-restrictions and accessing secure websites. Providers rent access to real users’ devices to anonymize traffic sources.
They don’t usually disclose how they build these networks, sometimes enrolling users knowingly or via malware, “what we would typically describe as a botnet,” Okta said. This results in traffic appearing to originate from everyday users’ devices, not VPS providers.
FBI had earlier warned of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks.
Okta observed that the attacks were notably effective against organizations using the Okta Classic Engine with ThreatInsight configured in Audit-only mode, rather than Log and Enforce mode.
Additionally, organizations failing to block access from anonymizing proxies experienced a higher success rate in these attacks. The attacks, however, succeeded for only a small percentage of Okta’s customers, the IAM provider said.
To counter these threats, Okta recommended:
- Enabling of ThreatInsight in Log and Enforce Mode to proactively block IP addresses associated with credential stuffing attempts before authentication is attempted.
- Denying access from anonymizing proxies to preemptively block requests originating from suspicious anonymizing services.
- Transition to enhanced security features such as CAPTCHA challenges for risky sign-ins and password-less authentication.
- Implementing Dynamic Zones to manage access based on criteria like geolocation and selectively block or allow certain IPs.
Why Credential Stuffing Attacks are Still Effective
Credential stuffing attacks traditionally have a very low success rate, which is estimated at around 0.1%, according to Cloudflare. Despite this, it remains profitable due to the vast number of credentials attackers possess. Collections contain millions or billions of credentials, with even a small fraction leading to profitable data.
The prevalence of password or credential reuse, observed in up to 85% of digital users, also facilitates the recurrence and the effectiveness of these attacks. Adding to this the advancements in bot technology enables attackers to circumvent security measures like time delays and IP bans.
Credential stuffing accounts for 24.3% of all login attempts in 2023, as per Okta. Retail and e-commerce companies account for more than half (51.3%) of all credential-stuffing incidents, the findings stated. It is likely due to the value associated with accounts in that industry, Okta said.
Geographically, the Americas region has the highest rate of credential-stuffing attacks at 28%, which aligns with previous findings as some of the largest retail and media companies are based in the United States.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.