Identity and access management (IAM) services provider Okta has warnedof increase in the frequency and scale of credential stuffing attacks targeting online services. The attacks observed over the past month are facilitated by the widespread availability of residential proxy services, lists of previously stolen credentials (known as 'combo lists'), and various scripting tools.

The findings come following a similar warning from Cisco, which highlighted a global surge in brute-force attacks targeting a range of devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, dating back to at least March 18, 2024

Cisco’s Talos threat intelligence division reported that these attacks were originating from TOR exit nodes and other anonymizing tunnels and proxies, targeting VPN appliances and routers from several prominent manufacturers.

Okta's Identity Threat Research revealed a notable uptick in credential stuffing activity against user accounts between April 19 and April 26, 2024, indicating a potential connection to the infrastructure mentioned in Cisco's advisory.

A method known as ‘credential stuffing’ involves using credentials obtained from one data breach to gain unauthorized access to other unrelated services.

“All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR,” stated Okta. Furthermore, the company noted that millions of requests were routed through various residential proxies, including NSOCKS, Luminati, and DataImpulse.

Residential proxies (RESIPs) are networks of legitimate user devices exploited by threat actors to route traffic on behalf of paying subscribers without their knowledge. This enables malicious actors to conceal their activities, making it challenging for security measures to detect and mitigate the attacks effectively.

Okta said it observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits).

“Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network,” according to Okta.

In March, HUMAN's Satori threat intelligence team spotted 28 applications on Google Play that turned Android devices into proxy servers, with 17 of them masquerading as free VPN software.