“Systems for protection and fingerprint substitution”
Criminals behind a shop on the Dark Web that is trading over 60,000 “digital identities” have developed a wide range of sophisticated tools to help users bypass machine learning-based anti-fraud systems, researchers at Kaspersky Lab say.
Customers using Genesis marketplace can purchase unique “digital masks”, or hijack those of legitimate online shoppers; piggybacking on the behavioural characteristics of innocent users to circumvent anti-fraud software, the company said.
Digital Masks: Highly Sought After
How does this work? Each online device carries with it a digital fingerprint – a combination of system attributes that are unique to each device and personal behavioral attributes of the user himself. The device fingerprint includes IP address (external and local); firmware version, GPU info, WebRTC IPs, TCP/IP fingerpring, cookies and more.
As Kaspersky Lab notes, modern anti-fraud solutions also analyse the user’s social network accounts (third-party cookies check) and various aspects of his/her behavior, including time spent at an online store website; mouse/touchscreen behaviour and more.
“Anti-fraud system may ‘red flag’ various tricks, but the main idea is to make sure that the user’s collected digital identity had been used for transactions before, such transactions had been legitimate, or that the digital fingerprint is completely unique and used for the first time,” the company said.
Uncovering the Genesis Darknet Marketplace
In February 2019, Kaspersky Lab research uncovered the Genesis Darknet marketplace – an online shop selling stolen digital masks and user accounts at prices ranging from $5 to $200 each.
Its customers simply buy previously stolen digital masks together with stolen logins and passwords to online shops and payment services, and then launch them through a browser and proxy connection to mimic real user activity.
The store’s owners have even developed a special .crx plugin for Chromium-based browsers (like Google Chrome and Microsoft’s new Edge Chromium).
The plugin allows users to install stolen digital profiles into their own browser with a single mouse click; allowing them to become a “doppelganger of the victim”.
“After that the bad guy only needs to connect to a proxy server with an IP address from the victim’s location and he can bypass the anti-fraud systems’ verification mechanisms, pretending to be a legitimate user.”
Anti-Fraud Bypass: Custom Tenebris Subscription
Other tools enable attackers to create from scratch their own unique digital masks that won’t trigger anti-fraud solutions.
Kaspersky Lab researchers have investigated one such tool, a special Tenebris Sphere browser with an embedded configuration generator to develop unique fingerprints. (Its standard iteration boasts “systems for protection and fingerprint substitution (GPU, Audio, Canvas, Plugins, Fonts, ClientRects, Ubercookies) automatically changing them for each new identity. Nobody can recognize configuration of your real computer if you surf with Sphere – it protects you against any identification attempt.”)
A more powerful version uses a subscription-based licensing system. One month’s worth of the browser usage costs $100. (With access to the Genesis fingerprints market thrown in, the price is $500 per month.)
As cybercriminals become increasingly sophisticated in dodging tools set up to catch them, Kaspersky recommends that online businesses ramp up their efforts to protect online shoppers.
This could include multi-factor authentication at every stage of user validation processes; new methods of additional verification, such as biometrics; and the integration of Threat Intelligence feeds into SIEM and other security controls in order to get access to the most relevant and up-to-date threat data.