Since the end of January, $10.1 million have already been lost to fraud in Canada, according to the Canadian Anti-Fraud Centre. When it comes to online identity theft, it may be harder to prevent than the traditional fraud we have been used to. Automatic logins and the use of unencrypted connections for online transactions can compromise digital identity and enable online identity theft.
Device Fingerprinting and Digital Identities
Device fingerprinting is used by corporate websites to track online activity and recognize unique browsing patterns. According to a 2013 study, this tracking method was used at the time by only 0.4% of the major websites listed on Alexa. While it is no surprise that most of the 0.4% were financial services trying to prevent fraud, what is truly interesting is that, generally speaking, an overwhelming majority of websites leveraging this method were affiliated to some sort of malicious or illegal activity, the same study found.
In theory, and depending on your location, device fingerprinting can be a legal technique used by online advertisers to collect unique user identifiers such as language, time zone, browser and extensions, type of operating system, device settings, and search history. It often runs in the background without user consent, making it hard to block without specialized technology. However, the EU’s General Data Protection Regulation (GDPR) has made it mandatory for companies to make this tactic visible and known to EU users.
Malicious actors often resort to form-grabbing to steal passwords saved in browsers, cookies, logs, and personal information, the perfect tools to commit digital identity fraud. Digital fingerprints are sought after commodities as once they gain access to them, fraudsters can impersonate a user’s profile or browser to bypass anti-fraud systems.
Contrary to popular belief, fraudsters do not have to be extremely tech-savvy to pull this off. The criminal underground abounds in services – such as Genesis Market – that can turn even the most novice of script kiddies into a digital fingerprint abuser with a high success rate.
Genesis Market Overview
Launched in late 2018, Genesis Market showed great potential, as it was the very first marketplace focused on digital identities. A private, invite-only, illicit market with a paid subscription, it allowed malicious actors to repackage and resell botnets. These botnets came with full credentials for numerous websites, including email and bank accounts, and credit card information. This made it easy for anyone to impersonate a legitimate user and bypass security.
Although it was heavily promoted on carding forums and was the largest bot store on the darknet, Genesis Market was taken offline in December 2019, only to come back to life four weeks later.
Each bot comes with cookies and credentials scraped from a victim’s computer. Not only are they indexed and searchable, but they include extremely detailed information. Genesis Market also provides a plugin and an anonymous browser that download victim profiles. If the right proxy is used, it can be very hard for a company to identify malicious logins.
What Is the Demand for Canadian Bots?
Ever since Richlogs emerged in April 2019, Genesis Market has no longer been the sole provider for digital fingerprints on the criminal underground. Given the increase in competition and demand, it is likely that the actual fresh bot selection is fairly limited.
Curious to see if Canadian bots are in high demand, Flare Systems’ threat intelligence team investigated Genesis Market in early 2021. Our team has identified a portfolio of 350,000 bots, out of which less than 1% are from Canadian victims. While the number of bots has increased in the last 12 months, it has been quite stable for the past four.
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
On a daily basis, the supply for fresh, updated bots can be as low as in the single digits, with merely 25% of bots receiving updates in 2021. According to our estimations, the bot inventory is heavily inflated to show variety and attract customers. We have identified similar trends on other dark web marketplaces in the past year.
Pricing Strategy Insights
Based on our investigation, we have determined the main variables that influence sales numbers:
- Time since the bot was last updated
- Infection length
- Number of cookies and compromised credentials
- Price
- Operating system (commercial, recent)
The three main sales drivers are the time elapsed since the last update was performed, infection length, and the number of cookies. These confirm that buyers are looking for fresh bots that have not been compromised for long. Aware that a good number of accounts can be secured with two-factor authentication and that some credentials may be incomplete, malicious actors appear to prefer cookies when attempting to take over accounts.
Some countries are priced higher than others, so we can assume prices vary based on legislation, infrastructure and interest in that specific market. Canadian bots are priced extremely low, with prices ranging from $1 to $350. While we cannot say for certain, a possible explanation is the age of the bots and the Windows version they operate on. Considering some of them are old and have not been updated in two years, purchasing them may be useless.
Canadian bots that recently received updates cost a median price of $35, while those updated in 2019 can go for $5. Generally speaking, Canadian bots can be purchased for less than $100. Based on price distribution, we presume that malicious actors are willing to risk it and still purchase an old, outdated bot for cheap.
Canadian bots are not driving sales numbers on Genesis Market, given the limited inventory of fresh services. Moving forward, if the situation persists, Genesis Market may lose ground with Canadian malicious actors, and it will be interesting to see where Richlogs positions itself in relation to Canada.