The new report (“Digital Browser Identities: The Hottest New Black Market Good”) outlines the key implications that both companies and consumers must consider for effective protection against cyber threats. In relation to this, Richlogs stands as a major threat. Richlogs has positioned itself as a competitor to the Genesis market (which emerged in November of 2018 and was the first market to sell digital identities). Like the Genesis market, Richlogs collects and sells stolen “digital fingerprints” of a user’s web browsing device (such as IP address, OS information, time zone, and user behavior).
To understand more about this growing cyber threat, Digital Journal spoke with Ariel Ainhoren, Head of Research at IntSights. Ariel is a security professional with over nine years of experience in the cyber industry, including expertise in computer forensics, malicious programs, cyber intelligence gathering and investigations.
Digital Journal: What are the main trends from your recent survey?
Ariel Ainhoren: In recent years, the dark web is going through an industrialization trend in which technically capable hackers build and maintain shops, malware, and attack methods, while low-level hackers or fraudsters become consumers of these tools and services. As fraud prevention systems becomes more prevalent on financial, retail, and other sites, threat actors develop malware to tackle these prevention systems.
This also correlates with recent trends of targeted ransomware attacks. Threat actors understand that any malicious operations against enterprises being performed in bulk are detected and blocked quickly. So, instead of attacking thousands of targets while requesting a small amount from each one, they identify big targets and request large amounts of money.
These digital identity shops correlate with that trend in three ways:
By targeting individuals and allowing granular access to these accounts enabling attackers to extract or extort more money from each victim, instead of trying to gather a username/password combination from a large number of victims.
By selling each account on its own to garner more profit than selling big databases in which every individual detail is worth a lot less.
By giving threat actors granular access to specific sites, user profiles and companies, thus enabling the penetration of organizations through these stolen profiles instead of trying to attack them en masse.
DJ: What are digital identities?
Ainhoren: A digital identity is the sum of a user’s actions on the web according to the traces they leave while interacting with sites and services.
In our specific context, it is the sum of the technical details and artifacts that identify a user against a specific site or service. For one service, your identity could include your username/password combination plus a one time SMS code. For others, this can also include your IP, Geolocation, screen resolution, browser and OS version etc. The collection of these digital artifacts help protection systems to decide if you are you or a fraudster using your credentials.
DJ: What is digital fingerprinting?
Ainhoren: Digital fingerprinting is the act of gathering technical and behavioral data that is unique to a specific user or identity. It is usually used by fraud protection systems to verify a user’s identity by more than just their username/password combination. Each site or system will collect different technical details that are connected to the user and will be used later as reference points to determine the validity of any suspicious behavior by the user.
For example, a user who connected from two places in the world five minutes apart will probably be flagged and maybe asked to supply additional details. Or, a user who usually connects from a specific computer or smartphone from the New York area, but is suddenly seen connecting from a tablet in Seattle may be flagged in a similar fashion. All of these characteristics are saved and analyzed each time a user tries to log in to an online system. In a case of a mismatch, the system can request additional information, require additional authentication (through the user phone, email etc), or will simply deny the user entrance or even block their account.
DJ: How are digital identities stolen?
Ainhoren: A malware infects the user device (could be a PC or smartphone) and steals all of the user data including: Browsers cache and additional files, OS information, computer hardware information, and hardware and software versions. The hacker then proceeds to use this information to create a matching digital identity on their own computer.
This is done by aligning all the pieces of information stolen against specific sites to mimic the user details as much as possible. This takes a lot of work, as most or even all of the information needs to match what the site expects to see. Each protection system can accept certain levels of deviation from the expected profile, and the attacker attempts to provide the most similar data possible.
DJ: What are some of the trends and implications of the digital identity market?
Ainhoren: First, they are a continued evolution of the dark web as a commercial industry, offering non-technical hackers or users direct access to full information of compromised individuals. It has never been easier to impersonate a person online by buying and using these sites.
Second, they allow granular access to compromised sites including social media, ecommerce, transportation and companies’ internal sites. All of this occurs without any indication that the profile in use is stolen.
Third, this market can be a powerful intelligence tool, helping any hacker or user using these identities – not only for profit, but also for obtaining different types of information according to the profile they are seeking.
DJ: What are the different types of ways to protect organizations from digital identify fraud?
Ainhoren: First, continuously monitor these markets for any asset that is related to you. The sites themselves allow you to search by different criteria which can help you quickly identify profiles that pose a risk.
Second, as this is essentially an arms race between attacks and defenders, you always need to stay one step ahead of the attacks. Some of the methods to do so are simple, such as enabling 2FA on accounts, enforcing rapid password change on critical systems, and clearing cookies and saved credentials from the browser in order to limit the exposure in case of a compromise.
Third, if you already employ a fraud detection system on your site or system, add additional security questions that only the user will know how to answer in case there are discrepancies in a user profile logging in. Although the human factor is usually the point of failure when it comes to cyber attacks, in this case the human could help combat malware that relies solely on technical data.
READ MORE: In a follow-up article, Ariel Ainhoren provides an overview of the report findings and the main threats faced by businesses. See: “Hackers are sharing your digital data on the dark web.”
