Researchers at the Dutch Technische Universiteit Eindhoven have found evidence of a huge and highly developed electronic black market for trading in “fingerprints” over the Internet that trades hundreds of thousands of detailed user profile data.
The market – which is based in Russia – offers more than 260,000 highly detailed user profiles, along with other user data, such as email addresses and passwords.
Security on the Internet is a never-ending game of cat and mouse. Security professionals are constantly inventing new ways to protect our valuable data, and in turn, cybercriminals devise new and cunning ways to undermine these defenses.
These personal “fingerprints” allow criminals to circumvent the latest authentication systems (authentication and authentication of data), giving them access to valuable information about users, such as credit card details.
The online economy relies on usernames and passwords, to ensure that the person who buys things or transfers money online is really the same person.
However, this limited authentication method has proven to be a far cry from security, as people tend to reuse their passwords over and over again across many services, platforms and websites.
This has resulted in a massive and highly lucrative illegal trade in authentication data, and according to recent estimates some 1.9 billion stolen identities were sold through the underground markets within a year.
Since it adds an additional step, many users do not bother to sign up for it, which means that only a minority of people use it.
To alleviate this problem, the alternative authentication system has recently become popular with services like Amazon, Facebook, Google and PayPal.
It would not be surprising if banks and other digital services created more sophisticated authentication systems, relying not only on something that users knew (their password), but on something they had (for example a token).
This process, known as “multi-factor authentication”, severely limits the possibility of committing cyber crimes, but on the other hand it has disadvantages as well.
Known as “risk-based authentication”, this system looks at “user fingerprints to verify someone’s credentials.”
This can include basic technical information, such as the type of browser or operating system, but also behavioral features, such as mouse movement, location, and keystroke speed.
If the fingerprint corresponds to what is expected of the user – based on previous behavior – he is allowed to log in immediately using his username and passwords only, and if this is not the case, additional authentication is required through a token.
Of course – and as expected – cyber criminals quickly found ways to circumvent “risk-based authentication” and develop phishing groups that also included fingerprints, however, they found it difficult to turn this into an effective and profitable business.
One reason is that these user profiles vary with time and across services, and must be collected through additional phishing attacks, but researchers have found evidence that this large and highly evolving marketplace overcomes these limitations.
The largest criminal market
Luca Aloudi, a researcher in the Cybersecurity Group in the Department of Mathematics and Computer, says to the “News Overview” page of the university’s website that “what distinguishes this website is not only its scope, but also the fact that all personal files are constantly updated, which means that it maintains its value.” “.
“In addition, customers can search the database, so that they accurately select the internet user they want to target, which enables very dangerous phishing attacks, and they can also download a program that automatically downloads user profiles for the target website customers,” he says.
To emphasize the systematic nature of the website, Alludi and his colleague Michel Campobasso – a PhD student and research co-author – coined the term “impersonation as a service,” echoing well-known cloud computing service terms such as “software as a service” and “infrastructure as a service.”
“To our knowledge, this is the largest and most sophisticated criminal market for systematically providing these services,” Campobasso tells the university’s website.
Searching the market was not easy, and in order for researchers to have access to available user profiles, researchers had to obtain a private invitation, shared by existing users.
Data gathering was also difficult, as platform operators actively monitor “rogue” accounts, and researchers decided to keep the site’s real name anonymous, to reduce the risk of retaliation on the part of market operators.
In their study, the researchers cited some examples of how criminals “armed” these personal files, which they found on a secret channel used by the platform’s clients on the Telegram application.
In one of the reported attacks, an attacker describes setting filters for the victim’s e-mail inboxes, with the aim of hiding “Amazon” notifications related to purchases in order to hide the attacker using the victim’s Amazon account.
Price for “virtual identity”
The market price of a user’s “virtual identity” ranges from $ 100 to around 100, and access to encryption files and online platforms appears to be the most valuable.
“Just having at least one encryption-related profile roughly doubles the average profile value,” says Alodi.
Another important factor that raises the price is the wealth of the country in which the user is located.
“This makes sense,” said Campobasso. “Attackers are looking to impersonate and monetize user profiles that are likely to generate greater financial gain, which are mainly found in developed countries.”
User profiles are also highly regarded, which allow access to more than one service and profiles with “real” fingerprints, in contrast to “made” fingerprints by the platform.