Okta, a leading authentication service, is raising alarms over a massive credential-stuffing attack that cleverly disguises fraudulent login requests using the mobile devices and browsers of ordinary users. This sophisticated campaign aims to evade detection by routing these requests through devices with strong reputational standings, a tactic unseen at such a scale before.
This attack employs various methods to mask the malevolent activities, including the use of the TOR network and proxy services from NSOCKS, Luminati, and DataImpulse. These services can control users’ devices without their knowledge to carry out their operations. In some instances, mobile devices involved are loaded with malicious apps; in others, users have unknowingly enrolled their devices into proxy services in return for incentives.
The adversaries utilize these devices for credential-stuffing attacks, where vast lists of previously breached login details are tested against various online accounts. Since these login requests originate from IP addresses associated with benign devices rather than the more commonly monitored virtual private servers (VPS), they often bypass typical security measures.
Okta’s advisory follows a report from Cisco’s Talos security team, which documented a similar large-scale attack inundating networks with countless login attempts. These attempts aimed to gain unauthorized access to VPN, SSH, and web application accounts, using both generic and targeted valid usernames. Cisco’s report also included a substantial list of usernames, passwords, and IP addresses linked to the attackers, which have resulted in massive numbers of authentication rejections.
Within days of Cisco’s findings, Okta’s Identity Threat Research team noted a significant rise in these attacks, leveraging similar infrastructure. This rise in credential stuffing activity was particularly noted from April 19 through April 26, leading to the publication of Okta’s detailed advisory.
The company’s advisory highlights the risks associated with residential proxies—networks comprising legitimate user devices that route traffic for a subscriber. The origins of these proxy networks are often obscured, with devices being enrolled either willingly by users in exchange for payment or unknowingly via malware or compromised software development kits (SDKs).
To safeguard against such vulnerabilities, Okta advises network administrators to enforce strong, randomly generated passwords of at least 11 characters and to implement multifactor authentication, ideally compliant with the FIDO industry standard. Additionally, Okta suggests blocking traffic from anonymizing proxy services to further protect against these sophisticated attacks.
For individuals, vigilance about the apps they download and the services they subscribe to is crucial. Often, free or discounted services come with terms that might compromise personal device security by permitting traffic proxying from external sources. Awareness and cautious participation in digital services are key to preventing such exploitation.
