Account compromise of “unprecedented scale” uses everyday home devices
Authentication service Okta is warning about the “unprecedented scale” of an ongoing campaign that routes fraudulent login requests through the mobile devices and browsers of everyday users in an attempt to conceal the malicious behavior.
The attack, Okta said, uses other means to camouflage the login attempts as well, including the TOR network and so-called proxy services from providers such as NSOCKS, Luminati, and DataImpulse, which can also harness users’ devices without their knowledge. In some cases, the affected mobile devices are running malicious apps. In other cases, users have enrolled their devices in proxy services in exchange for various incentives.
Unidentified adversaries then use these devices in credential-stuffing attacks, which use large lists of login credentials obtained from previous data breaches in an attempt to access online accounts. Because the requests come from IP addresses and devices with good reputations, network security devices don’t give them the same level of scrutiny as logins from virtual private servers (VPS) that come from hosting services threat actors have used for years.
“The net sum of this activity is that most of the traffic in these credential-stuffing attacks appears to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” according to an advisory that Okta published over the weekend.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25449917/PXL_20240510_013415094.MP.jpg)
