FBI PIN TLP White: Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts

The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This PIN was coordinated with DHS/CISA.

This PIN has been released TLP: WHITE

Summary

The FBI is highlighting significant details about proxies1 and configurations2 used by cyber criminals to mask and automate credential stuffing attacks on US companies, resulting in financial losses associated with fraudulent purchases, customer notifications, system downtime and remediation, as well as reputational damage. Credential stuffing attacks, commonly referred to as account cracking, apply valid username and password combinations, also known as user credentials or “combo lists”, from previously compromised online resources or data leaks. Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries – to include media companies, retail, healthcare, restaurant groups and food delivery – to fraudulently obtain goods, services and access other online resources such as financial accounts at the expense of legitimate account holders. The FBI acknowledges the Australian Federal Police for their assistance collecting the information included in this Private Industry Notification.