Dive Brief:

• Cybercriminals are using proxies and configurations to mask and automate credential stuffing attacks targeting U.S. businesses, the FBI warned last week.
• Multiple public sites are selling compromised account credentials. A pair of these sites investigated by the FBI and the Australian Federal Police contained more than 300,000 unique credentials, the agency said in Thursday warning to private industry.
• Media companies, retailers, restaurant groups and food delivery services are at heightened risk due to the scale of their customer bases and “relative lack of importance users place on these types of accounts,” the FBI said.

Dive Insight:

Credential stuffing, a form of attack that exploits valid credentials stolen during a breach or purchased on the dark web, remains a persistent threat. Damage from these attacks is often multiplied because many individuals reuse usernames and passwords across multiple accounts.

By acquiring or developing configurations that can initiate attacks with custom tools, cybercriminals can target specific sites for attack. These configurations can target specific sites, include details about how to form an HTTP request, and indicate if proxies are required, the FBI said.

Proxies, which can also be purchased from legitimate service providers, allow threat actors to mask IP addresses and circumvent another form of defense, according to the FBI. Successful credential stuffing attacks are often directed by cybercriminals through residential proxies, which are less likely to be blocked or flagged.

“Some cracking tools, including one of the most popular automated attack tools, allow actors to run the software without proxies,” the FBI said.

The agency shared multiple tips to help companies defend against credential stuffing. Multifactor authentication sits at the top of that list. Businesses are also encouraged to educate employees and customers about the pitfalls of using passwords that have appeared in data breaches.