Tag Archive for: stuffing

FBI: Beware Residential IPs Hiding Credential Stuffing


Cyber-criminals are increasingly hijacking home IP addresses to hide credential stuffing activity and increase their chances of success, the FBI has warned.

Credential stuffing is a popular method of account takeover whereby attackers use large lists of breached username/password ‘combos’ and try them across numerous sites and apps simultaneously to see if they work. As many individuals reuse their credentials, they often do.

Working credentials can then be sold to others for initial access. The FBI and Australian Federal Police claim to have found two websites containing over 300,000 unique sets of credentials obtained via credential stuffing. The sites had over 175,000 registered customers and made over $400,000 in sales, the FBI said.

However, website owners can detect this suspicious activity if they know what to look for. This is where residential proxies come in. By compromising home routers or other connected technology, attackers can route their efforts through benign-looking IPs to trick network defenders.

“In executing successful credential stuffing attacks, cyber-criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal,” the FBI said in its Private Industry Notification.

“Existing security protocols do not block or flag residential proxies as often as proxies associated with datacenters.”

As well as combo lists, malicious actors buy configurations, or ‘configs,’ and other tools on underground sites to help improve success rates.

“The config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc,” the notice explained.

“In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.”

The FBI recommended a multi-layered approach to mitigate the threat of credential stuffing.

A report from May last year claimed there were 193 billion credential stuffing attempts during…

Source…

GM credential stuffing attack exposed car owners’ personal info


General Motors logo on a building

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers’ information and allowed hackers to redeem rewards points for gift cards.

General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points.

Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.

Targeted in credential stuffing attack

GM disclosed that they detected the malicious login activity between April 11th and April 29th, 2022, and confirmed that the hackers redeemed customer reward points for gift cards in some cases.

“We are writing to follow up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization,” explains a data breach notification sent to affected customers.

GM states they will be restoring rewards points for all customers affected by this breach.

However, these breaches are not a result of a General Motors being hacked but rather are caused by a wave of credential stuffing attacks targeting customers on their platform.

Credential Stuffing attacks are when threat actors use collections of username/password combinations leaked in other sites’ data breaches to gain access to user accounts on a website.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” explains a different data breach notification from GM

“We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

GM requires affected users to reset their passwords before logging in to their accounts again.

Personal information exposed

When the hackers successfully breached a GM account, they could access certain information stored on the site. This information includes the following personal details:

  • First and last name,
  • personal email address,
  • personal address,
  • username and phone number for…

Source…

Over 300K Spotify accounts hacked in credential stuffing attack


Spotify

Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources.

For years, users have complained that their Spotify accounts were hacked after passwords were changed, new playlists would appear in their profiles, or their family accounts had strangers added from other countries.

Spotify users saying their accounts were hacked
Spotify users stating their accounts were hacked

A new report detailing how a database containing over 380 million records, including login credentials, is actively used to hack into Spotify accounts may shed some light on these account breaches.

300 million records with user info for hacking Spotify accounts

A common attack used to hack into accounts is called a credential stuffing attack, which is when threat actors make use of large collections of username/password combinations that were leaked in previous security breaches to gain access to user accounts on other online platforms.

Today, VPNMentor released a report about a database exposed on the Internet that contained 300 million username and password combinations used in credential stuffing attacks against Spotify.

Each record in this database contains a login name (email address), a password, and whether the credentials could successfully login to a Spotify account, as shown below.

Record in exposed database
Record in exposed database

It is not known how the 300 million records were collected, but it is likely through data breaches or large “collections” of credentials that are commonly released by threat actors for free.

The researchers believe that the 300 million records listed in the database allowed the attackers to breach 300,000 to 350,000 Spotify accounts.

VPNMentor contacted Spotify on July 9th, 2020, about the exposed database and its threat to accounts and received a response on the same day.

“In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless,” the researchers stated.

It is not clear what is meant by a “rolling reset,” as Spotify account holders that BleepingComputer has spoken to did not recently…

Source…