Investigators: Aaron DeVera, Dina Haines, Nico Agnese, Rosemary Cipriano

It’s easier than ever to fake who you are on the internet; it’s as easy as going to the store and buying a gift set of skincare products. The set comes with instructions on how to use the cleanser, the toner, and the moisturizer. The cybercrime “gift set” comes with all the tools in one package to go forth and wreak havoc . Anti-detection browser bundles are quickly becoming the cybercrime gift set that gets a new criminal going.

Anti-detection browsers are billed as being intended for “privacy” and “anonymity” reasons, but they’re known in the cybercrime community as being tools for much more nefarious uses. In short, they provide methods to avoid detection from online security tools, allowing criminals to conduct malicious behavior. While the browsers and the configurations they use to imitate devices might fool some anti-fraud measures, White Ops’ Bot Mitigation Platform can identify traffic stemming from these applications.

How It Works

Anti-detection browsers start from taking well-intentioned open-source code of known browsers like Chromium (an open-source version of Chrome) and Firefox, and then strip away all of the fingerprinting to allow a user to be anonymous. To take things further, a user can purchase a “configuration” and be someone else entirely—sometimes with stolen credentials to real sites included. These configurations start with browser fingerprints that enable users to spoof different types of operating systems, networks, and applications. Or, for a bit more money, the configuration can have a collection of a person’s credentials to sites like Instagram, Spotify, Twitter, and SoundCloud, or even email providers and banks.

Anti-detection browsers typically allow users to configure the artifacts being sent by the browser itself, in an effort to mimic specific HTTP request-based signals. Spoofing certain signals (such as user agent, web drivers, IP address) enables a fraudster to attempt to avoid detection by security solutions. These capabilities, along with stolen credentials often packaged with the browser configurations, make anti-detection browsers an attractive tool set for cybercriminals.

The Genesis Market

Genesis (also referred to as “Genesium'' as a nod to the Chromium project) is both an anti-detection browser and a secretive marketplace for browser configurations. This particular browser removes any code that could be used for advertising or marketing purposes from Chromium. Genesis claims to protect users from any attempts at identification through fingerprinting or creation of user profiles, allowing for total anonymity.

 

Gensis Market Homepage

The Genesis Homepage

 

Genesis is different from other anti-detection browsers out there in that access to the browser and marketplace are heavily restricted. For browsers like Antidetect and LinkenSphere, anyone can get a hold of the source code and related packages if they have the money to do so. In contrast, Genesis requires an invite that you can get only from an existing member.

The Genesis marketplace allows anyone to sell “bots”—the name used for bundles of signals, cookies, and other data used to make up a fingerprint. (This is not to be confused with how we at White Ops typically describe a “bot”: a piece of code that is programmed to do a specific task.) A Genesis “bot” will typically contain the signals necessary to spoof a browser fingerprint, giving a fraudster the ability to manipulate and replace user agent, headers, clock, web navigator, JavaScript version, screen size, language, storages, battery, webGL, fonts, ActiveX, Flash, and more. Other marketplaces also refer to such bundles as “configs” or configurations.

 

5d890451-2fd5-4a5a-9276-63f32a0f55f4

A recent snapshot of available Genesis bots

 

Another common occurrence on the Genesis Market is for “bots” to include stolen credentials and cookies from actual users. This personal data is usually taken directly from victims or as the result of a data breach. For example, vendors on Genesis Market offer at least 33,681 configs with Spotify credentials. The number of credentials included in a “bot” bundle is frequently a price differentiator on Genesis Market. Or, in the case of Twitter, the price differentiator can be whether it’s for web or mobile. There are more than 54,000 configs with stolen credentials for Twitter on the web. However, there are only 5,036 configs with stolen credentials for Twitter mobile. These are more “valuable”, since it’s harder to be caught with these credentials. Across the Genesis Market, there are at least 213,837 configs available - most with several packages of stolen credentials.

Extreme Makeover: Bot Edition

All of these artifacts working together create the perfect picture of a fraudster’s victim. They can now move around the web appearing like a real person. With this type of “anonymity,” what kind of chaos can a fraudster wreak?

By having real credentials to use across the web, you can weaponize that victim’s existing influence. Engagement and click fraud occur when fraudsters are paid to engage with specific social media posts or click on specific links. That is why browser fingerprinting has the highest value here—it can make you the most money. The proper configurations plus user agent strings can make a fraudster go unnoticed as they log into the victim’s Twitter and create or favorite tweets, which may or may not be truthful. The victim won’t be alerted that someone has logged into their account because the fraudster will be spoofing their device type, IP address, etc. It’s the perfect crime, and it doesn’t take much other than some cash or cryptocurrency to do it. This type of fraud can happen across any social media site—faking influence by using real profiles is hard to detect with all of these measures in place.

Music platforms also fall victim through streaming fraud. Listens are the new currency on streaming platforms. If a song is popular, it will rise the charts of the platform. We’ve seen Spotify and SoundCloud credentials bundled for fraudsters to do exactly this. By creating fake listens to boost popularity, they’re cheating the system. We live in an age in which anyone can produce their own music and put it out there. It has opened up the door for more artists to be heard but streaming fraud deters newer and familiar artists by taking away their opportunity to land themselves on the top of the charts. Music has always been a democracy—the one with the listens, the spins, won. Streaming fraud has disrupted the music ecosystem: it’s payola for the 21st century. Using these browsers makes it look like someone is genuinely listening to these songs and genuinely “loving” them.

What we are describing here is a beginner’s guide to fraud. If you’re willing to pay the price, all the pieces are there to go undetected or as someone else on the internet. Anti-detection browsers and marketplaces like Genesis have made it idiot-proof for wannabe cybercriminals to take on people’s identities and commit fraudulent acts like engagement/click fraud and streaming fraud. It’s as easy as buying that gift set.

TAGGED: SecurityResearch & Detection