The Russia-based marketplace offers more than 260,000 highly detailed user profiles, along with other user data, such as email addresses and passwords.
Security on the Internet is a never-ending game of cat and mouse. Security professionals are constantly devising new ways to protect our valuable data, and in turn, cybercriminals devise new and cunning ways to undermine these defenses.
These personal “fingerprints” allow criminals to circumvent the latest authentication systems (authentication and authentication of data), giving them access to valuable information about users, such as credit card details.
The online economy relies on usernames and passwords to ensure that the person who buys things or transfers money online is really the same person.
However, this limited authentication method has proven to be a far cry from security, as people tend to reuse their passwords over and over again across many services, platforms and websites.
This has resulted in a massive and highly lucrative illegal trade in authentication data, and according to recent estimates some 1.9 billion stolen identities were sold through the underground markets within a year.
Since it adds an additional step, many users do not bother to register with it, which means that only a minority of people use it.
To alleviate this problem, the alternative authentication system has recently become popular with services such as Amazon, Facebook, Google and PayPal.
It would not be surprising if banks and other digital services created more sophisticated authentication systems, relying not only on something that users knew (their password), but on something they had (for example a token).
This process, known as “multi-factor authentication,” severely limits the possibility of committing cyber crimes, but on the other hand, it also has drawbacks.
Known as “risk-based authentication”, this system looks at “user fingerprints to verify someone’s credentials.”
This can include basic technical information, such as the type of browser or operating system, but also behavioral features, such as mouse movement, location, and keystroke speed.
If the fingerprint corresponds to what is expected of the user – based on previous behavior – he is allowed to log in immediately using his username and passwords only, and if this is not the case, additional authentication is required through a token.
Of course – and as expected – cyber criminals quickly found ways to circumvent “risk-based authentication” and develop phishing groups that also included fingerprints, however, they found it difficult to turn this into an effective and profitable business.
One reason is that these user profiles vary with time and across services, and must be collected through additional phishing attacks, but researchers have found evidence that this large and highly evolving marketplace overcomes these limitations.
The largest criminal market
Luca Alodi, researcher in the cybersecurity group in the mathematics and computer department, says to PageNews overviewThe university’s website, “What distinguishes this website is not only its scope, but also the fact that all personal files are constantly updated, which means that it maintains its value.”
“In addition, customers can search the database, so that they accurately select the Internet user they want to target, which enables very dangerous phishing attacks, and they can also download a program that automatically downloads user profiles for the target website customers,” he says.
To emphasize the systematic nature of the website, Alludi and his colleague Michel Campobasso – a PhD student and research co-author – coined the term “impersonation as a service,” echoing well-known cloud computing service terms such as “software as a service” and “infrastructure as a service.”
“As far as we know, this is the largest and most sophisticated criminal market for systematically providing these services,” Campobasso told the university’s website.
Searching the market was not easy, and in order for researchers to have access to available user profiles, researchers had to obtain a private invitation to be shared by existing users.
Data gathering was also difficult, as platform operators actively monitor “rogue” accounts, and researchers decided to keep the site’s real name anonymous, to reduce the risk of retaliation by market operators.
The researchers stated in Study them Some examples of how criminals “weaponized” these personal files, which they found on a secret channel used by the platform’s clients on the Telegram app.
In one of the reported attacks, an attacker describes creating filters for the victim’s e-mail inboxes, with the aim of hiding “Amazon” notifications related to purchases in order to disguise the attacker using the victim’s Amazon account.
Price for “virtual identity”
The market price of a user’s “virtual identity” ranges from $ 100 to around 100, and access to encryption files and online platforms appears to be the most valuable.
“The mere presence of at least one encryption-related profile roughly doubles the average profile value,” says Alodi.
Another important factor that raises the price is the wealth of the country in which the user is located.
“This makes sense,” says Campobasso. “Attackers are looking to impersonate and monetize user profiles that are likely to generate greater financial gain, which are mainly found in developed countries.”
User profiles are also highly regarded, which allow access to more than one service and profiles with “real” fingerprints, in contrast to the “made” fingerprints by the platform.