Kaspersky Lab researchers at the annual Kaspersky Security Analyst Summit conference, which took place in Singapore this week, gave a presentation about yet another dark market. However, the 'Genesis' market is different from the norm: cyber-criminals are selling digital fingerprints with the full data of more than 60,000 users already being traded.
At first this appears to be a story about biometric insecurity, with the digital interpretation of fingerprint scans having been compromised. But these are not biometric fingerprints at all, instead the Genesis market is trading in the combination of system attributes of a specific device and the personal behavioural attributes of a specific user which together form the digital fingerprint. This is so unique to the user concerned that it is seen as being the equivalent of that biometric fingerprint, and as such is used by banking and commerce fraud detection systems to raise a red flag when there's a mis-match and put those transactions on hold for further security checks. Its a one-stop shop for everything ciminals need to know about their victim.
The fingerprint is compromised of system attributes such as IP address (external and local), screen information (screen resolution, window size), firmware version, operating system version, browser plugins installed, device ID, battery information, audio system fingerprint, TCP/IP fingerprint, passive SSL/TLS analysis and cookies. Then there's the behavioural part, with such things as time spent at a location, clicks made, interest-related behaviour, mouse or touchscreen usage and even system configuration changes.
Kaspersky Lab researchers regard the emergence of Genesis as being evidence of the evolution of cyber-crime 'carding' forums where fraud methodologies and compromised credit card datasets were traded decades ago. "From the famous Cardingplanet forum to Darknet stolen card stores; financial cybercrime schemes were not dead at all during all these years" they say, continuing "they have evolved and become more dangerous than ever."
The Genesis Store is an invitation-only market, and currently has more than 60,000 stolen bot profiles that include browser fingerprints, website user logins and passwords, cookies and credit card information. "The price varies from US$ 5 to US$ 200 (apx £4 to £150) per profile" Kaspersky Lab researchers said "if the bot has a login/password pair from an online bank account, the price is higher." Interestingly, pricing has been automated using an algorithm to calculate the criminal value of each profile.
As Flashpoint’s lead analyst for Europe, Luke Rodeheffer, points out
"Genesis is a browser extension that allows cyber-criminals to both purchase stolen accounts and attempt to access the victim's accounts by spoofing associated elements of the device fingerprint."
The Genesis marketplace takes things further and provides a forum where stolen credentials and victims' device fingerprints can be purchased and then loaded into that extension. Sadly, Genesis is not alone in this fingerprinting subversion activity and there are multiple tools out there if you look for them. "These tools are mainly developed in Eastern Europe by Russian-speaking developers" Rodeheffer says, continuing "who research anti fraud technology in order to find the best ways of subverting and spoofing aspects of device identification so that cyber-criminals can pass off their own servers or virtual computers as those of account holders."
The Genesis market even has an auto-generation option for it's customers that enables the modification of various device elements within any fingerprint, and so make it easier to bypass account authentication in combination with the browser extension. So, what should the enterprise be doing by way of mitigating against the risk that such digital fingerprint compromise brings?
Paul Bischoff, privacy advocate with Comparitech.com, goes back to basics and recommends the enterprise should train employees in how to identify and handle phishing emails as "in order to fingerprint a web browser, you only need to open the wrong web page - you don't even have to type anything in or click on a link. All the information necessary to create a basic fingerprint is instantly available."
Making that browser less unique is another mitigation technique, although it's impossible to erase a fingerprint completely. "Another way enterprises can protect against this is to shorten cookie sessions and add additional authentication barriers" says Aaron Zander, head of IT at HackerOne "such as requiring a user to submit a password or re-enter credit card information if there has been a change in the user’s mailing address."
Stuart Dobbie, product owner at Callsign, points out that the prevalence of segregated and secure processing hardware found on modern mobile devices and processors can enable digital fingerprints to be created via hardware backed security mechanisms. "This approach, when coupled with secure execution environment controls or trusted execution environments" Dobbie concludes "can again decrease the attack surface for digital fingerprint theft..."