Problem with authentication systems
The online economy depends on usernames and passwords. They
Unsurprisingly, banks and other digitalservices have developed more sophisticated authentication systems that do more than rely on users knowing their password. For example, a person has their own eToken.
eToken (from English electronic - electronic and English. token - sign, token) - means of personal authentication tools in the form of USB keys and smart cards, as well as software solutions using them. Such tokens are also sold in Russia.
The process in which the user hasand password and personal token, is known as multi-factor authentication (MFA). Yes, it greatly limits the possibility of cybercrime, but it also has its drawbacks. Because it involves a lot of hassle, many users are reluctant to register for the token, which means few people use it.
Is there any alternative?
To solve this problem, recentlyalternative authentication system has become popular in services such as Amazon, Facebook, Google and PayPal. This system, known as Risk Based Authentication (RBA), looks at a user's fingerprints to verify someone's credentials. They can include basic technical information such as the type of browser or operating system, as well as the user's behavior. It is about the movement of the mouse, its location and even the speed of pressing the keys. If the fingerprint matches what is expected of the user - based on the previous behavior - he is allowed to immediately log in using only his username and password. Otherwise, additional authentication with a token is required.
Of course, cybercriminals quickly came up withways to bypass the RBA by developing phishing kits that also include fingerprints. However, they find it difficult to turn this into an efficient and profitable business. One reason is that these user profiles change over time and across services and need to be collected through additional phishing attacks.
Posing as another person as a service
Recently, scientists from the University of TechnologyEindhoven found evidence of a large-scale and highly complex market that appears to overcome these limitations. The marketplace, based in Russia, offers over 260,000 detailed user profiles along with other credentials such as email addresses and passwords.
“The uniqueness of this underground websiteis not only its scale, but also that all profiles are constantly updated, this means that they retain their value,” explains Luca Allodi, a researcher in the Security Group of the Faculty of Mathematics and Computer Science, who, together with Ph.D. student Michele Campobasso was responsible for the research.
Clients can search the database,to select exactly the internet user they want to target. This allows for very dangerous targeted phishing attacks. By the way, buyers in this black market can get software that automatically downloads purchased user profiles to targeted websites.
Luca Allodi, T U/e researcher
Credit: Eindhoven University of Technology.
To emphasize the systematic naturewebsite, Allodi and Campobasso coined the term impersonation as a service (IMPaaS), echoing well-known cloud computing services such as SaaS (software as a service) and IaaS (infrastructure as a service).
"As far as we know, this is the largest and most sophisticated criminal market in which these services are systematically offered."
Market research was not easy, they emphasizeresearchers. In order to access the lists of available user profiles, researchers had to obtain special invitation codes that existing users use. Data collection was also difficult - platform operators actively tracked down “fraudulent” accounts. The researchers also decided to keep the real name of the site a secret in order to minimize the risk of retaliation from market operators.
Price of a “virtual personality”
The price of a user's "virtual identity"The trading floor ranges from $ 1 to about $ 100. Access to cryptocurrency profiles and electronic money transfer platforms seems to be the most valuable. “Just having at least one cryptocurrency profile almost doubles the average profile,” says Allodi.
Another important factor that increases the price is...this is the wealth of the country in which the user is located. “This makes sense: attackers looking to impersonate and monetize user profiles place greater value on profiles that can bring greater financial gain, and these are mostly found in developed countries,”— says Campobasso.
User profiles are also highly valued,which provide access to more than one service, and profiles with “real” fingerprints, as opposed to fingerprints “synthesized” by the platform.
Using profiles
In their article, the researchers also describea few examples of how criminals "arm" these profiles, which they found on the secret Telegram channel used by the platform's clients. In one known attack, an attacker describes how to configure filters for the victim's email mailboxes. The goal is to hide notifications from Amazon related to purchases made by the attacker using the victim's platform account.
Consequences of trading "digital identities"
However, similar markets exist not only in Russia.
IntSights, a New York-based companyThreat Intelligence, aimed at empowering businesses to “defend ahead,” today announced the release of its latest report, Digital Browser Identification: The Hottest New Product on the Black Market.
The report states that “the emergence of a marketGenesis in November 2018 drew attention to a new type of underground “digital identity” service. This type of black market offers complete fingerprinting of a user's web browser and computer characteristics, allowing an attacker to impersonate the victim almost flawlessly. “This gives the digital identity buyer the ability to access websites as another user and bypass advanced identity protection services.” The study states that this includes access to email accounts (e.g. Google, Yahoo, Microsoft), social media profiles (e.g. Facebook, Twitter, LinkedIn), bank and credit card accounts (including PayPal), websites retail and e-commerce (e.g. eBay, Amazon, Best Buy), music services (Spotify), mobility apps (Uber), government services, and even internal login pages.
“Think of it as digitalfacial recognition, but instead of scanning your face to verify your identity, they use the properties of your device to browse the web,” the report’s authors suggest. The implications are frightening, as this gives anyone the ability to intrude and imitate a user's online identity, as users typically store their credentials in their browser—even for financial and work websites—for convenience.
"The use of these masquerade tactics comes outbeyond fraud and financial crimes. Hackers may target specific companies by looking for their employees; pedophiles may target and impersonate children by seeking victims who visit known children's websites; and intelligence agencies can search for various government officials according to their internal login pages.”
IntSights also noted that Richlogs, a newGenesis competitor has joined the ranks of leading dark trading platforms. “Like the Genesis marketplace, Richlogs collects and sells stolen” digital fingerprints of web browsing devices (i.e. IP address, OS information, time zone, user behavior). These sites allow the buyer to impersonate a legitimate online user and bypass standard security protocols by offering full credential access to any site that has been stored in the victim's browser."
Ariel Einhoren, Head of ResearchIntSights, stresses: “The level of intrusion into the victim's life provided by digital identity is alarming. It's not just credit cards, bank accounts or personal information at stake. Digital identity gives cybercriminals the ability to almost completely intercept someone else's identity on the Internet. This includes everything from viewing expenses to tracking daily travel routes and viewing tax information. ” She added that the larger the victim's digital footprint, the more the attacker can impersonate her. "Digital IDs, as sold on Richlogs and Genesis, offer a complete digital fingerprint of a person on a plate, providing endless opportunities for fraud, fraud, theft, and access to the victim's privacy."
How do you protect yourself?
IntSights provided tips for protecting your organization from digital identity fraud:
- Constantly monitor digital identity markets.Visibility and awareness are the keys to being proactiveprotection. "Monitoring these markets can help you identify compromised individuals at an early stage (for example, on one of your internal login pages) so you can track traffic to that page more closely and / or improve verification methods when users log in."
- Enable two-factor authentication.“Request for the second (or even third) variable foruser verification makes it harder for hackers to hack accounts. This could include mobile verification or providing answers to additional security questions that only the customer or employee will know. "
- Update fingerprinting protocols regularly.If your company uses digital printsfinger to verify clients or users, update these protocols regularly and add additional authentication points to keep up with the stealer version updates.
- Consistently clear your cookies and browsing history."Clearing cookies and browsing historylimits the extent of your “digital history” and therefore does not put additional websites and / or profiles at risk if your device becomes infected. "
- Change passwords regularly.This is always a cybersecurity best practice, and it certainly applies here as well. Changing passwords and preventing password reuse can significantly reduce the risk of hacking.
Read also
The annual mission in the Arctic has ended and the data are disappointing. What awaits humanity?
See the closest shots of the Sun's surface
Coronaviruses have learned to mimic human immune proteins and trick the body