Last week, the FBI released a PIN (Private Industry Notification) on their Internet Crime Complaint Center (IC3). They reported a rise of credential stuffing attacks and warned internet domain administrators to implement defenses.
Regular credential stuffing is a type of cyberattack where threat actors take usernames and passwords that they’ve obtained (either through a previous breach or bought from the dark web), and use them to try and gain entry to other sites and accounts.
In the current cases, the FBI have spotted an increase of cybercriminals using residential proxies to avoid being tracked, flagged or blocked. This disguises their IP address to look like a regular home user producing regular consumer traffic.
In order to gain access to use residential proxies, hackers often plant malware on home computers and leverage it at a later date to use the IP connection. They then deploy bots to continuously attempt their credential stuffing attacks. Some residential proxy tools offer full functionality, including an option to brute-force account passwords or set configurations to the particular account they’re trying to crack.
Internet admins should read the FBI advisory and implement defenses, but how can the ‘average person’ protect themselves from credential stuffing attacks?
Let’s break it down and apply mitigations:
- Password Hygiene: Using the same password for numerous accounts is a bad idea- and this is exactly why. If one account is breached, it gives unnecessary access to all the others. Use unique and complex passwords for all your accounts. Use a trustworthy and reliable Password Manager to stay organized.
- MFA: Implementing multi-factor authentication ensures that even if a cybercriminal gets their hands on your username and password, they’ll be stopped by the need for further authentication.
- Stay vigilant against phishing attempts! Be choosy about the emails you open and the links you click.
- Ensure you have all the appropriate security controls in place for your system.
At Centraleyes, we can help you assess and mitigate your cybersecurity risks. Contact us for a demo with no commitment!
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days