Residential proxy networks are being used in an ongoing credential-stuffing attack on a Fortune 500 company, and this attack is being completely mitigated by Cequence's Unified API Protection (UAP) platform, handling bot attacks from over 9 million unique IP addresses. This extremely large pool of IP addresses attempts imposes challenges on traditional IP blocking methods. To help mimic legitimate traffic, the attackers use proxy pools based in the same country as the target's main user base -- of the 9 million unique IP addresses in the current attack, over 8 million originate from the USA and UK, which correlates with the locations of the target's primary user base.
Cequence's ML-based policies and fingerprint-based blocking handle attacks where IP blocking fails. Both legitimate traffic and malicious traffic can be fingerprinted. Cequence uses these fingerprints to differentiate legitimate traffic from malicious traffic and mitigate the effects of the malicious traffic on your systems.
Attack summary
This attack started February 7th and escalated notably starting on the 10th. The attack has focused on compromising individual user accounts for a business that handles notably increased seasonal traffic in mid-February, and used almost 7 million unique IP addresses.
Attack technique
This attack uses a subset of brute-force attacks known as credential stuffing, which leverages the user tendency to reuse username/password pairs. Large amounts of these credential pairs from previous data breaches are injected into the target's login systems in order to find active accounts. Actions taken from an active account that is compromised in this way varies depending on the business of the target, but often includes exfiltrating payment information.
The following chart of transactions blocked by Cequence displays a breakdown of attack events by country.
The next pair of charts display unique IP addresses by country and organization, first without the specific target discussed in this article, and then including that target. While the scale of the attack is almost unprecedented for this short of a time scale, mitigating attacks of this nature is a daily occurrence for Cequence.
IP address sources excluding target
IP address sources including target
The originating devices are primarily the sorts of devices commonly seen in these sorts of attacks: routers from major manufacturers such as Huawei and Cisco, and various IoT devices. Both of these categories of devices are frequently found in large botnets. The attack has generated over 28 million events, or approximately 3 events for each unique IP address, and has had a very consistent fingerprint, which has made mitigation straightforward.
Cequence mitigates over 327 million credential-stuffing events, or around 10 million events each day, for its customers, saving approximately $6.3M of account value in an average month.