A huge black market for "virtual personalities" has been found on the Internet. How does he work?

Problem with authentication systems

The online economy depends on usernames and passwords. They

are required to verify identity on the Internetduring any money transactions: from purchases to bank transfers, everything is tied to personal data. However, this limited authentication method has proven to be far from secure, as people tend to reuse their passwords across multiple services and websites. This has led to massive and highly profitable illegal trade in user credentials. Estimate the scale: It was recently estimated that around 1.9 billion stolen credentials were sold through clandestine markets in a year.

Unsurprisingly, banks and other digitalservices have developed more sophisticated authentication systems that do more than rely on users knowing their password. For example, a person has their own eToken.

eToken (from English electronic - electronic and English. token - sign, token) - means of personal authentication tools in the form of USB keys and smart cards, as well as software solutions using them. Such tokens are also sold in Russia.

The process where the user has a password tooand a personal token known as multi-factor authentication (MFA). Yes, it severely limits the possibility of cybercrime, but it also has its drawbacks. Since it involves "unnecessary gestures", many users do not want to register for the token, which means that few use it.

Is there any alternative?

To solve this problem, recentlyalternative authentication system has become popular in services such as Amazon, Facebook, Google and PayPal. This system, known as Risk Based Authentication (RBA), looks at a user's fingerprints to verify someone's credentials. They can include basic technical information such as the type of browser or operating system, as well as the user's behavior. It is about the movement of the mouse, its location and even the speed of pressing the keys. If the fingerprint matches what is expected of the user - based on the previous behavior - he is allowed to immediately log in using only his username and password. Otherwise, additional authentication with a token is required.

Of course, cybercriminals quickly came up withways to bypass the RBA by developing phishing kits that also include fingerprints. However, they find it difficult to turn this into an efficient and profitable business. One reason is that these user profiles change over time and across services and need to be collected through additional phishing attacks.

Posing as another person as a service

Recently scientists from the University of TechnologyEindhoven found evidence of a large-scale and highly complex market that seems to overcome these limitations. The marketplace, located in Russia, offers over 260,000 detailed user profiles along with other credentials such as email addresses and passwords.

“The uniqueness of this underground websitelies not only in its scale, but also in the fact that all profiles are constantly updated, which means that they retain their value, ”explains Luca Allodi, researcher in the security group of the Faculty of Mathematics and Computer Science, who, together with Ph.D. student Michele Campobasso was in charge of the research.

Clients can search the database,to select exactly the internet user they want to target. This allows for very dangerous targeted phishing attacks. By the way, buyers in this black market can get software that automatically downloads purchased user profiles to targeted websites.

Luca Allodi, researcher T U / e

Credit: Eindhoven University of Technology.

To emphasize the systematic naturewebsite, Allodi and Campobasso have introduced the term impersonation as a service (IMPaaS), echoing well-known cloud computing services such as SaaS (software as a service) and IaaS (infrastructure as a service).

"As far as we know, this is the largest and most sophisticated criminal market in which these services are systematically offered."

Market research was not easy, they emphasizeresearchers. In order to access the lists of available user profiles, researchers had to obtain special invitation codes that existing users use. Data collection was also difficult - platform operators actively tracked down “fraudulent” accounts. The researchers also decided to keep the real name of the site a secret in order to minimize the risk of retaliation from market operators.

The price of a "virtual personality"

The price of a user's "virtual identity"The trading floor ranges from $ 1 to about $ 100. Access to cryptocurrency profiles and electronic money transfer platforms seems to be the most valuable. “Just having at least one cryptocurrency profile almost doubles the average profile,” says Allodi.

Another important factor driving up the price isthe wealth of the country in which the user is located. “This makes sense: attackers seeking to impersonate user profiles and monetize them are placing more emphasis on profiles that can bring great financial benefits, and these are mostly found in developed countries,” Campobasso said.

User profiles are also highly valued,which provide access to more than one service, and profiles with “real” fingerprints, as opposed to fingerprints “synthesized” by the platform.

Using profiles

In their article, the researchers also describea few examples of how criminals "arm" these profiles, which they found on the secret Telegram channel used by the platform's clients. In one known attack, an attacker describes how to configure filters for the victim's email mailboxes. The goal is to hide notifications from Amazon related to purchases made by the attacker using the victim's platform account.

Consequences of trading "digital identities"

However, similar markets exist not only in Russia.

IntSights, a New York-based companyThreat Intelligence, aimed at empowering businesses to “defend ahead,” today announced the release of its latest report, Digital Browser Identification: The Hottest New Product on the Black Market.

The report states that “the emergence of a marketGenesis in November 2018 drew attention to a new type of “digital identity” clandestine service. This type of black market offers complete fingerprinting of the user's web browser and computer characteristics, allowing the attacker to impersonate the victim almost flawlessly. "This gives the digital identity purchaser the ability to access websites as another user and bypass advanced identity protection services." The study claims this includes access to email accounts (e.g. Google, Yahoo, Microsoft), social media profiles (e.g. Facebook, Twitter, LinkedIn), banks and credit card accounts (including PayPal), retail sites and e-commerce (e.g. eBay, Amazon, Best Buy), music services (Spotify), mobility apps (Uber), government services, and even internal login pages.

“Think of it as digital recognitionbut instead of scanning your face to verify your identity, they use your device's web browsing properties, ”suggest the authors of the report. The implications are daunting as it gives anyone the ability to intrude and impersonate a user's identity on the internet, as users usually save their credentials in their browser - even for financial and business websites - for convenience.

“The use of this masquerade tactic goes beyondframework of fraud and financial crimes. Hackers can attack specific companies looking for their employees; pedophiles can target and impersonate children by looking for victims who visit well-known children's websites; and intelligence agencies can search for various government officials according to their internal login pages. ”

IntSights also noted that Richlogs, newrival Genesis, has joined the ranks of the leading dark marketplaces. “Like the Genesis marketplace, Richlogs collects and sells stolen“ digital fingerprints ”from web browsing devices (ie IP address, OS information, time zone, user behavior). These sites allow the buyer to impersonate a legitimate online user and bypass standard security protocols, offering full account access to any site that was stored in the victim's browser. "

Ariel Einhoren, Head of ResearchIntSights, stresses: “The level of intrusion into the victim's life provided by digital identity is alarming. It's not just credit cards, bank accounts or personal information at stake. Digital identity gives cybercriminals the ability to almost completely intercept someone else's identity on the Internet. This includes everything from viewing expenses to tracking daily travel routes and viewing tax information. ” She added that the larger the victim's digital footprint, the more the attacker can impersonate her. "Digital IDs, as sold on Richlogs and Genesis, offer a complete digital fingerprint of a person on a plate, providing endless opportunities for fraud, fraud, theft, and access to the victim's privacy."

How do you protect yourself?

IntSights provided tips for protecting your organization from digital identity fraud:

  • Monitor digital identity markets continuously. Visibility and awareness are the keys to being proactiveprotection. "Monitoring these markets can help you identify compromised individuals at an early stage (for example, on one of your internal login pages) so you can track traffic to that page more closely and / or improve verification methods when users log in."
  • Turn on two-factor authentication. “Request for the second (or even third) variable foruser verification makes it harder for hackers to hack accounts. This could include mobile verification or providing answers to additional security questions that only the customer or employee will know. "
  • Update your fingerprint protocols regularly. If your company uses digital printsfinger to verify clients or users, update these protocols regularly and add additional authentication points to keep up with the stealer version updates.
  • Clear cookies and browsing history consistently. "Clearing cookies and browsing historylimits the extent of your “digital history” and therefore does not put additional websites and / or profiles at risk if your device becomes infected. "
  • Change passwords regularly. This is always cybersecurity best practice, and it certainly applies here as well. Changing passwords and preventing password reuse can significantly reduce the risk of being compromised.

Read also

The annual mission in the Arctic has ended and the data are disappointing. What awaits humanity?

See the closest shots of the Sun's surface

Coronaviruses have learned to mimic human immune proteins and trick the body