Account compromise of “unprecedented scale” uses everyday home devices

Authentication service Okta is warning about the “unprecedented scale” of an ongoing campaign that routes fraudulent login requests through the mobile devices and browsers of everyday users in an attempt to conceal the malicious behavior.

The attack, Okta said, uses other means to camouflage the login attempts as well, including the TOR network and so-called proxy services. In some cases, the affected mobile devices are running malicious apps. In other cases, users have enrolled their devices in proxy services in exchange for various incentives.

Unidentified adversaries then use these devices in credential-stuffing attacks, which use large lists of login credentials obtained from previous data breaches in an attempt to access online accounts. Because the requests come from IP addresses and devices with good reputations, network security devices don’t give them the same level of scrutiny as logins from virtual private servers (VPS) that come from hosting services threat actors have used for years.

“The net sum of this activity is that most of the traffic in these credential-stuffing attacks appears to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” according to an advisory that Okta published over the weekend.

Okta’s advisory comes two weeks after Cisco’s Talos security team reported seeing a large-scale credential compromise campaign that was indiscriminately assailing networks with login attempts aimed at gaining unauthorized access to VPN, SSH, and web application accounts. These login attempts used both generic and valid usernames targeted at specific organizations. Cisco included a list of more than 2,000 usernames and almost 100 passwords used in the attacks, along with nearly 4,000 IP addresses that are sending the login traffic. The attacks led to hundreds of thousands or even millions of rejected authentication attempts.

Within days of Cisco’s report, Okta’s Identity Threat Research team observed a spike in credential-stuffing attacks that appeared to use a similar infrastructure. Okta said the spike lasted from April 19 through April 26, the day the company published its advisory.

Okta officials wrote:

Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone, or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.

Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.

People who want to ensure that malicious behavior isn’t routed through their devices or networks should pay close attention to the apps they install and the services they enroll in. Free or discounted services may be contingent on a user agreeing to terms of service that allow their networks or devices to proxy traffic from others. Malicious apps may also surreptitiously provide such proxy services.

Okta provides guidance for network administrators to repel credential-stuffing attacks. Chief among them is protecting accounts with a strong password—meaning one randomly generated and consisting of at least 11 characters. Accounts should also use multifactor authentication, ideally in a form that is compliant with the FIDO industry standard. The Okta advisory also includes advice for blocking malicious behavior from anonymizing proxy services.