For Sale on Cybercrime Markets: Real 'Digital Fingerprints'Genesis and Richlogs Markets Sell Victim Data for Faking Out Anti-Fraud Systems
Two cybercrime marketplaces are helping fraudsters to automate the sometimes arduous task of trying to impersonate legitimate customers of eBay, Amazon, Netflix, online banks and other sites.
The Genesis and Richlogs markets sell "digital fingerprints" - the types of data that organizations use to help identity fraudulent behavior. By looking more like a legitimate user, criminals can be better-equipped to help fool organizations' anti-fraud controls.
Security experts say the rise of digital fingerprints being offered for sale is simply the latest chapter in "carding," which refers to any illegal use of credit and debit card data. Such fraud seems set to rise. Last year, for example, Jupiter Research estimated that online losses due to payment card fraud would rise from $22 billion in 2018 to $48 billion by 2023.
The anticipated rise in fraud comes despite organizations deploying increasingly sophisticated defenses to block the use of payment card data that gets stolen via payment card skimmers, online skimming software, banking Trojans or other techniques.
For more than two decades, criminals have bought and sold credit and debit card data, recently via dozens of marketplaces, mostly hosted in Russia, featuring such current and former players as AlphaBay, Hansa, Dream and Wall Street Market. Another major player has been Rescator, where batches of hundreds of thousands of cards have sometimes appeared following a major breach (see: Target Reaches $18.5 Million Breach Settlement with States).
To combat the rampant theft of payment card data, many organizations now "digitally fingerprint" users and devices by recording more than 100 data points, such as a user's IP address, geolocation, time zone, device type, operating system version, battery information, cookies, or even how an individual interacts with their device, for example when using their smartphone's on-screen keyboard. By tracking such data, organizations can use anti-fraud controls that spot unusual behavior, such as a Kansas-based iPhone user suddenly appearing to log in from Ukraine on an Android device.
"Anti-fraud systems can check the user’s collected fingerprint against the local database of fraudster device fingerprint patterns and, if any of them should match the one being used for the online purchase attempt, the transaction will be immediately blocked," according to security firm Kaspersky.
Cybercrime, however, continues to be a cat-and-mouse game, and criminals have responded to the rise of digital fingerprinting by not just stealing payment card data, but also digital fingerprints. Top marketplaces also offer bespoke tools that enable fraudsters to replay fingerprint data to better emulate their victims.
Adopt a Bot
Experts say the Genesis market, which first appeared in November 2017, continues to be a major vendor of stolen digital fingerprint data. The site sells access to single bots - referring not to massive botnets, but rather to an individual endpoint infected by malware. At its debut, it claimed that it could evade anti-fraud controls used by 283 major banks and payments systems.
"For less than $50, users can buy a bot on the Genesis site, which includes the fingerprint, accounts, and cookies - unsurprisingly, the store does not use or sell any products connected with the Russian Commonwealth," risk minimization service Digital Shadows reported in April 2018.
Digital Shadows says the stolen data gets harvested by the Genesis bot via "web injects, form grabbers and passwords saved in browsers," with the bot keeping tabs on the system and pushing updated data to the store and on to buyers. "While this means that not all information is verified, it provides a more scalable business model for the administrators," it says.
In April, a report from Kaspersky noted that Genesis was selling more than 60,000 bot profiles containing stolen data, with each profile priced from $5 to $200, depending on the value of the stolen data. "For example, if the bot has a login/password pair from an online bank account, the price is higher," Kaspersky reported. "As the marketplace owners have explained in their darknet forum thread, the price is calculated automatically using a unique algorithm."
The site also provides customers, for free, with a browser plug-in called Genesis Application. "The plug-in claims to work with any operating system on Chrome-like browsers - Chrome, Iron, Iridium and others - and provides a seamless way to access the user fingerprint," Digital Shadows says. "The plug-in automatically updates and offers additional information on cookies and login data, as well as holder details, security answers and card details."
After installing the plug-in, "the bad guy only needs to connect to a proxy server with an IP address from the victim’s location and he can bypass the anti-fraud systems’ verification mechanisms, pretending to be a legitimate user," Kaspersky says.
Rival Market: Richlogs
Earlier this year, a direct competitor to Genesis called Richlogs debuted, promising to provide a similar service for less.
The marketplace says it too has listings from vetted vendors selling "bot logs with fingerprints" for PayPal, Pornhub and Facebook accounts; U.S. and Canadian bank accounts; cryptocurrency hot and cold wallets; and AirBnB accounts.
"All the logs we provide come with full fingerprint data," an advertisement for the site boasts. "This means exactly that. We provide all the cookie & browsing history in each log to ensure you have success with all your operations. Once you load the cookies onto your selected browser you will become the identical user from the log you have just purchased from us. This ensures a much higher success rate and anonymity for your business needs. We provide you with a free browser where you can just upload your purchased log and use it with simplicity."
Registration for Richlogs costs $50, payable via bitcoin or monero, after which the site says a user will receive $100 in site credit. Log data starts at $1 per record.
The site also says that it can give users real-time access to hacked PCs so they can use them to remotely emulate victims via a SOCKS5 proxy. "[Our] SOCKS5 module will be started on the victim device and will let you use his IP as a proxy when you use his data to avoid security checks based on IP if not a clean SOCKS5 in same region as victim device worked because of strict security rule by antifraud systems," reads an advertisement for Richlogs.
While Genesis has grown to now feature more than 100,000 bot profiles, Richlogs remains fairly new and only has about 1,100 profiles for sale, Ariel Ainhoren, head of research at cyber intelligence firm IntSights, says in a new report. He notes that whoever created Richlogs appears to have added features that they found lacking at Genesis.
"Richlogs provides an interface that allows anyone to sell stolen digital identities, unlike Genesis, which only offers digital identities for sale without new users being able to sell their own. This creates more of a marketplace for buyers and sellers," according to IntSights.
In addition, Richlogs sells "more granular fraud information for victim accounts, enabling buyers to filter identities by availability of HiddenVNC connection to the bot, presence of cryptocurrency wallets credentials, or credit card information in the logs," Ainhoren writes.
Ainhoren notes that Richlogs doesn't sell or include personally identifiable information on victims. But it does appear to have snagged a number of corporate users, as well as government account holders. "For example, one of the victims accessed a portal of the Serbian Traffic Police, identifying himself as a member of the Serbian police force," he writes. "Another victim accessed the New Zealand internal revenue service, identifying himself as a New Zealand citizen. And another victim was most likely an Indian national living in Qatar. We know this because while the profile mostly accessed Indian sites, it also accessed the Qatar government national authentication system."
Whoever is selling the data via Richlogs doesn't appear to discriminate as to the type or location of victim. "We observed victims from all around the globe, including the U.S., Western and Eastern Europe, Asia, and the Middle East," he says. "If you get infected, your whole digital profile will be offered for sale."
Tenebis Linken Sphere Browser
Genesis and Richlogs only represent part of the cybercrime ecosystem that aims to defeat anti-fraud defenses.
For example, criminals don't have to use a Chrome browser plug-in to replay a victim's digital fingerprints. Another popular tool is the Tenebris Linken Sphere browser, "a fully functional browser with advanced fingerprint configuration capabilities, automatic proxy server validity testing and usage options" among other features, including a "user activity emulator" designed to make it look more authentic, Kaspersky says.
"Its developers position it as the perfect browser for anonymity, and in fact it has been used for carding for years," backed by "a marketplace of unique fingerprints that can be used with Sphere browsers" to better mimic real users, the security firm says.
Pricing is on a subscription basis, starting at $100 per month for the browser, Kaspersky says, rising to $500 monthly for access to the fingerprints marketplace.
To defend themselves against attacks that use stolen digital fingerprints to fake out sites and services, IntSights recommends users always use unique passwords for every site or service, as well as enable two-factor authentication wherever possible, and regularly clear cookies and browsing history, to make them more difficult for would-be attackers to grab.