The insidious problem with bots is exploding

June 10, 2021
Research reveals a surge in digital identities for sale on the deep web

Genesis Market. It sounds like a futuristic bazaar where new tech ideas can be traded. But it’s not. The truth is, Genesis Market is a terrifying, illicit invite-only marketplace where bots, embedded with illegally obtained personal data, are being exchanged. Chances are that your customers’ information is on it. Maybe even yours.

New exclusive research in the report ‘Buying Bad Bots Wholesale: The Genesis Market reveals that the number of stolen identities for sale on the marketplace has increased by 250% in two years, with more than 18,000 being added each month. Data for sale range from basic email logins and Netflix profiles to even PayPal accounts – all packaged up into a bot. The current price tag for one of these bots can be as little as $0.70 and up to $370 for those containing more significant amounts of embedded data. The more expensive the bot, the juicier the information it contains, such as credit card numbers and financial details that allow access to online bank accounts.

Once a bot is purchased, the bot operator can assume the identity of the person whose data has been stolen. The stolen data contained in the bot includes device fingerprints, which allow users to mask themselves as the victims. The operator can then make online purchases through the individual’s account and even reply to that person’s emails – all without detection. By all intents and purposes, the buyer becomes their victim.

How the Process Works

Here’s how the process works: Buyers receive a custom browser into which they load the bot and its data. This browser is either a Chromium-based browser plugin, Genesis Security, to be loaded onto an existing setup or Genesium, a “de-googled” version of Chromium maintained by Genesis Market owners. Genesis is an anti-detect browser, meaning it’s designed with privacy in mind. The real intent, however, is to avoid tracking and detection by traditional anti-fraud and cybersecurity defenses, leaving the bot purchaser free to browse the internet while masquerading as the victim. Once the bot is loaded into the browser and the stolen data accessed, the bot user has open access to the victim’s accounts. Any saved logins, when login cookies exist, can be used to continue a user’s session – all without access to the original device.

Each bot for sale on the Genesis Market holds data that has been exfiltrated from a consumer’s device. The information typically consists of auto-filled data, saved logins, cookies, or browser fingerprints. Buyers even have the ability to search the more than 350,000 bots for sale on the market by price, location, the time a device was compromised, its most recent update and how much information is available.

The frightening thing is the growth of this marketplace. In April 2019, about 100,000 stolen credentials were available for purchase. Today, it’s more than three times as many. Given the number of bots available at any one time, the Genesis Market alone represents millions of dollars of illegal transactions passing from criminal to criminal. It’s a sleek and successful commerce site, complete with an FAQ and support help desk.

How is Data Stolen? By More Bots

Victims are primarily targeted with malware and account takeover (ATO) bots. These bots grab leaked customer account usernames and passwords from mass data dumps and test them against accounts until they find a successful match. Sometimes data dumps will contain complete sets of credentials with both username and password. Others only contain partial information, so cracking the code and accessing an account can take several attempts. Gaining unauthorized access in this way is an ATO technique called credential stuffing or credential cracking depending on the amount of information attackers have at hand.

Access to accounts is often made easier because of a consumer’s own behavior. Too often, consumers reuse their passwords. Unfortunately, just one successfully validated set of credentials can give an attacker access to multiple accounts, some of which will likely contain even more identifiable information about a person.

What does this mean for cybersecurity? It’s being outsmarted. Many anti-fraud defenses rely on matching device fingerprints to credentials to verify a legitimate user’s identity. By infecting legitimate devices and stealing their fingerprints, Genesis Market bots can pass right through such protections, so the malicious users can’t be separated from the genuine.

The bottom line is that we’re looking at an arms race. As attackers’ arsenals of weapons advance, cybersecurity defenses must try to play catch up.

The secret weapon for both bot detection and bot mitigation is automation, especially on the server side. Sophisticated AI defenses have become more crucial than ever for businesses to prepare for and fight the rising tide of sophisticated bot attacks. Intent analytics, for example, can look at what each user is doing and identify suspicious activity in real-time. The key is to focus on the behavior versus the signals like fingerprinting or cookies. Doing so allows you to better identify legitimate from fake users in a way that does not disrupt a business.

Another line of defense is a bot management framework that helps you gain a critical understanding of attacks. By going against business logic and breaking down incidents into different stages, a business can understand the techniques employed by hackers and then create a bot management strategy that will better keep the business and its customers protected.

Finally, keep in mind that underground marketplaces like the Genesis Market are not immune to attacks, either. Several large data breaches of illegal marketplaces have taken place in recent months. Swarmshop’s attack resulted in the release of more than 600,000 payment cards from around the world. Other forums, like Verified and Carding Mafia, were also targeted earlier this year. As these marketplaces grow in popularity, we will see them increasingly go to war against each other to boost their own stashes of stolen data.

The digital transformation acceleration that has been taking place in recent years has led to more personal data being shared online – and more hackers looking to grab and cash in on it. This has resulted in the fast growth of bad bot networks and illicit marketplaces, like the Genesis Market. There’s little doubt that malicious applications are taking over the internet. If businesses don’t go on the offense and put the appropriate solutions in place, the marketplaces will win the war and leave businesses and their customers in shambles.

About the author: Matthew Gracey-McMinn is the Head of Threat Research at Netacea. He is an experienced Cyber Threat Intelligence professional with an MPhil from the University of Oxford. In his current role at Netacea, he researches and investigates the impact of malicious bots on online businesses and their customers.