Research · · 4 min read

Anatomy of a 6-day credential stuffing attack from 2.2M residential IPs

Anatomy of a 6-day credential stuffing attack from 2.2M residential IPs

In this article, we cover the details of a heavily distributed credential-stuffing attack that targeted a major US financial service company (spoiler: there were some pretty clear signs of device spoofing, as you'll see below). By the end of the bot attack, which lasted 6 days, Castle blocked more than 11.8M malicious login attempts.

Credential stuffing attack metrics

Credential stuffing attack overview

As a reminder, credential stuffing is the act of trying large amounts of stolen credentials with the purpose of gaining unauthorized access to accounts (account takeover). The attacker made 11,804,332 login attempts over more than 6 days, and the attack reached a spike of a whopping 208k login attempts per hour on December 10th. For reference, the regular login volume is about 10k per hour.

The attacker mostly used IP addresses located in the US. Since the financial platform targeted is a US-based company, this is a common technique used by attackers: they often rely on proxies located in the same country as the website they target to stay under the radar and avoid triggering traditional detection techniques such as geo-blocking.

More specifically, the attacker leveraged mostly US American IPs / US residential proxies that belong to well-known ISPs such as Comcast and AT&T. These IP addresses have a better reputation than cheaper data center proxies that may be blocked more quickly.

The graph below shows the evolution of the number of unique IP addresses per hour used by the attacker. We see that during the bot attack, the attacker was often using more than 100K distinct US-based residential IPs per hour to spread their attack.

Proxies are a key component of credential-stuffing attacks. It enables bots to spread their attack across thousands of IPs addresses, which avoids being detecting by simple IP-based rate-limiting techniques.

Attack Indicators of Compromise (IoCs)

The attacker used different techniques to minimize their chances of being detected, such as forging its bot device fingerprints and using US residential proxies to distribute the attack.

Device Indicators of Compromise

How did Castle block the attack?

Castle’s detection uses a multi-layered approach to ensure that even if attackers properly forge their device fingerprints or use clean residential proxies, it still detects malicious bot traffic.

In the case of this attack, the attacker was detected by a combination of signals and approaches:

Conclusion

Credential stuffing attacks can significantly strain server resources and pose a serious risk of account takeovers. These incidents can harm the brand reputation and degrade the customer experience. While such attacks can originate from a small number of IP addresses, attackers increasingly rely on residential proxies to highly distribute their attacks and to evade defenses.

Traditional bot detection techniques such as geo-blocking and IP-based rate limiting are not enough against today’s attackers. This is why Castle uses a multi-layered approach that leverages advanced machine learning (ML) with all signals available: from device fingerprint to advanced residential proxy detection and user behavioral analysis.

Read next