Kaspersky security researchers report that an invitation-based private marketplace for stolen digital information offers more than 60,000 stolen bot profiles at the moment.
Called Genesis Store, this is the biggest online store for such data, and the profiles sold there include browser fingerprints, website user logins and passwords, cookies, and credit card information. Based on the value of the stolen information, prices per profile range from $5 to $200.
Information includes:
- IP address (external and local)
- Screen information (screen resolution, window size)
- Firmware version
- Operating system version
- Browser plugins installed
- Timezone
- Device ID
- Battery information
- Audio system fingerprint
- GPU info
- WebRTC IPs
- TCP/IP fingerprint
- Passive SSL/TLS analysis
- Cookies
- and many more
"The plugin allows installing stolen digital profiles into the
“For example, if the bot has a login/password pair from an online bank account, the price is higher. As the marketplace owners have explained in their Darknet forum thread, the price is calculated automatically using a unique algorithm,” Kaspersky Lab’s security researchers explain more here.
The marketplace includes a configurable search panel (pictured above) so that users can easily find specific bots by searching for logins and passwords from a particular website, the victim’s country, operating system, date the profile first appeared at the market, and other information.
Looking to make the use of the stolen profiles as easy as possible, the owners of Genesis Store have developed a special .crx plugin for Chromium-based browsers, which allows for the installation of stolen digital profiles with a single click.
Next, the cybercriminal needs to connect to a proxy server with an IP address from the victim’s location, which allows them to bypass an anti-fraud systems’ verification mechanisms. Thus, they can pretend to be the legitimate user, effectively becoming the victim’s doppelganger.
Genesis Store also allows customers to generate unique fingerprints, if they don’t want to buy real ones, the researchers say.
“Genesis Store gives its customers an opportunity to use Genesis algorithms and the plugin to generate random fingerprints that can be used, for example, to enter stolen bank card information into online store forms: such unique browser fingerprints will be properly configured, so the anti-fraud system will not be alarmed,” Kaspersky explains.
Cybercriminals can also use the Tenebris Linken Sphere browser to bypass anti-fraud systems. Not only do its developers claim that the application is the perfect browser for anonymity, but it has already been used for carding (i.e., the use and trafficking of stolen credit cards) for years.
A fully functional browser, Sphere packs advanced fingerprint configuration capabilities, automatic proxy server validity testing and usage options. It also has a user activity emulator, allowing crooks to set it to open websites, follow links, stay on websites for a given length of time, and the like, to trick anti-fraud systems’ behavior analysis modules.
“The Tenebris Linken Sphere developers have also created a marketplace of unique fingerprints that can be used with Sphere browsers,” Kaspersky says.
The browser is offered as part of a subscription-based licensing system, priced at $100 per month. Those interested in gaining access to the fingerprints market have to pay $500 per month. Sphere provides a broad range of configuration options for generated fingerprints, with fully adjustable parameters in most cases.
Genesis and Sphere prove that cybercriminals are always looking for ways to defeat the anti-fraud safeguards through in-depth research of how such systems work, and through the analysis of browser traffic to understand protection system scripts and queries.
“The security departments of financial organizations must always look for ways to counter such threats. Extra two-factor authentication for any transaction initiated using a bank card or payment system is an absolute necessity these days, even if the user’s digital profile appears legit to the protection system. Even though it is not very convenient for users to complete the extra authentication routine each time they want to buy online, it is the most effective safeguard against carding attacks for the present,” Kaspersky notes.
https://securelist.com/digital-doppelgangers/90378/
https://www.securityweek.com/over-60000-stolen-profiles-sold-underground-marketplace