Residential Proxies Increasingly Used to Hide Credential Stuffing Attacks

Cyber threat actors are increasingly using hacked residential routers to hide their credential stuffing attacks, according to a recent alert from the Federal Bureau of Investigation (FBI).

Credential stuffing is a type of brute force attack where a threat actor uses a large list of usernames and passwords that have been compromised in previous data breaches to access accounts on unrelated websites. The attack relies on the reuse of passwords on multiple platforms. If a user sets a password for an account and reuses that password for multiple accounts, a breach of one of those accounts would give the threat actor the right username and password combination to access all other accounts where the same credentials have been used.

If these attacks succeed, the valid username and password combos can be personally used by threat actors, or lists can be sold on underground forums to other threat actors, such as ransomware gangs. These attacks can provide threat actors with access to business networks, or they can be used to access accounts and make fraudulent purchases for goods and services. In some cases, they can provide a threat actor with access to financial accounts. While most people are aware of the need to use a unique password for their financial accounts, people are laxer about security with accounts for media companies and restaurant groups, yet these accounts can still be valuable to threat actors and are often targeted.

Website owners can detect credential stuffing attacks through the IP addresses used to access accounts and repeated failed login attempts. They can also implement security measures to block the attacks. To get around this and increase the success rate, threat actors are increasingly hijacking residential proxies, which are connected to residential Internet connections. When credential stuffing attacks are conducted using these residential proxies, the login attempts are much less likely to arouse suspicion, as external security protocols do not tend to block or flag residential proxies, at least not as often as they do with the proxies associated with data centers.

In addition to using large lists of username and password combinations, threat actors can also purchase configurations and other tools on hacking forums to further improve the success rate, and also view tutorials on how to conduct and automate their attacks. Despite the security risks associated with reusing passwords, it is a common practice. It should be noted that without password reuse, credentials stuffing attacks would not succeed.

The easiest way for businesses to prevent credentials stuffing attacks is to ensure they provide security awareness training to their employees and explain the risks associated with reusing passwords. Employees should be told to set strong, complex passwords – or passphrases on their accounts. Since it is difficult for people to set complex passwords – and remember them – the best approach is to provide employees with a password manager. A password manager will suggest complex passwords, and users will not need to remember them since they will be auto-filled when required. The passwords are also stored securely in an encrypted password vault. Some password managers – Bitwarden for example – also have a username generator, which allows users to set a unique username for their accounts in addition to a unique password, by using an email provider’s plus addressing or aliasing capabilities.

For additional protection, multifactor authentication should be enabled, which will require additional authentication in addition to a password if a login attempt is made from an unfamiliar IP address. Checks can also be performed on accounts to determine if username/password combos have been compromised in previous data breaches. These can be tested against accounts, and password resets can be forced if the credentials have been used.

The FBI offers several recommendations for website operators to improve security. These include the use of fingerprinting on websites to analyze information about clients and detect unusual activity, such as attempts to log in to multiple accounts from a single IP address. The FBI also suggests the use of shadow banning. “When a user is shadow banned, their activities, which are not propagated to other users or to system data, do not impact the system. Because shadow banning limits users’ activities in a way that is not apparent, the user is unaware their access is limited. When utilized in conjunction with fingerprinting, shadow banning can prevent account crackers from determining the legitimacy of credentials used during a login attempt.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of