Cybercrime

From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Evolution of the Russian-Language Underground’s Anonymizing Technology

Evolution of the Russian-Language Underground’s Anonymizing Technology

bio
emerging threats

Much like a virus that continually mutates to render previously-effective vaccines obsolete, cybercriminals’ ongoing development of new anonymizing technologies empowers them to obfuscate their identities while carrying out illicit schemes. Throughout the Russian-language underground in particular, many adversaries have been known to spend hundreds of dollars on tools designed to help them sidestep the latest anti-fraud mechanisms being deployed by financial institutions, retailers, and others. As more organizations implement new tracking and fingerprinting methods, cybercriminals continue to upgrade their technologies to subvert defender countermeasures.

To better understand how anonymizing technologies are contributing to the proliferation of cybercrime, Flashpoint analysts embarked on a research project to determine the most popular software packages among members of the Russian-language underground.

Linken Sphere
A more recent addition to the arsenal of tools available to Russian-speaking cybercriminals, Linken Sphere is a powerful browser package designed for the dedicated purpose of establishing and recycling online identities. The tool first appeared in July 2017 and includes traffic tunneling and processor mapping features to help adversaries gain unauthorized access to targeted networks. Other features include an “off-the-record mode,” as well as a simplified process for importing and exporting cookies between sessions.

For each browsing session, users can either load their own user agent information, or choose from several dozen preconfigured proxy user agents to spoof activity on operating systems such as Mac, Windows, Linux, Android, and iOS. Users can also set the GPS coordinates of their choosing to mask their location. After setting the configurations for a browsing session, users are forwarded to a browser fingerprinting service to verify their anonymity. To create the impression that their activity is being carried out by multiple individuals, adversaries can generate unique fingerprints for individual sessions within separate browser tabs.

Linken Sphere can be rented for about $100 per month on several Russian-language underground forums. Relatively uncommon for an underground product, Linken Sphere’s launch campaign featured a high-quality promotional video that has since received over 1,000 views since it was uploaded to YouTube.

Whatleaks
Another recently-launched tool gaining attention among Russian cybercriminals is an anonymity and spoofing service known as Whatleaks, which began to aggressively advertise across lower- and upper-tier Russian-language forums in June 2017. That being said, the tool has actually been circulating throughout the Deep & Dark Web since August 2015, billed as a simple method of verifying the IP address associated with a machine.

While users concerned with maintaining their anonymity online have frequently used website services such as Browserleaks or Whoer to check how well their configurations are hiding traces of their online identity, Whatleaks goes much further than these better-known free fingerprinting services and utilizes almost two dozen different parameters for fingerprinting online visitors. First, Whatleaks identifies user configurations based on browser and operating system. Next, unique hash IDs are generated for a variety of different data released by the browsers. After running the tool, users can save the unique browser fingerprint generated, compare new fingerprints, and align their own settings with past configurations used for cybercriminal activities.

On July 18, 2017, Whatleaks announced a new feature that would allow subscribers to download fingerprints that belong to ordinary Internet users. The subscription service costs $19 USD for thirty days of access to a fingerprint database with nearly 150,000 unique fingerprints searchable by country and browser. Users can also order the custom fingerprints at a cost that varies based on the targeted website.

Browser-Antidetect
Browser-Antidetect is a tool with a longer presence in the cybercriminal underground, marketed by a well-known threat actor on an elite Russian-language cybercrime forum. The tool’s users frequently claim that it quickly pays for itself, with some even lauding it as the best obfuscation tool on the market. The tool’s client base purportedly consists of only a few dozen elite cybercriminals, which allows for careful consideration of each customer’s needs and justifies the tool’s $5,000 USD price tag.

Like Linken Sphere, Browser-Antidetect can be used to create fingerprints corresponding with various operating systems. Browser-Antidetect is built from the Chrome browser’s source code, which differentiates it from tools based in Firefox. Versions 4.0 and above allow the imitation of Network Address Translation (NAT) and WiFi in WebRTC packets as well. Version 5.1, the latest release of the tool, was announced on July 4, 2017. Versions 4.0 and above allow the imitation of Network Address Translation (NAT) and WiFi in WebRTC packets.

Antidetect
Another major player in the obfuscation market is a tool known as Antidetect, which first appeared in October 2012. The software received a significant amount of unwanted publicity when cybersecurity blogger Brian Krebs covered Antidetect and the possible identity of its creator in a series of posts published in March 2015. Antidetect can be used to alter numerous trackable elements, including but not limited to HTTP headers, JavaScript objects, browser plugins, media type (MIME Type), screen resolution, operating system name, Flash Player data storage, battery settings, geolocation, and Canvas/WebGL fingerprinting. The longevity of the tool, which is now in version 7.1.6, is a testament to its value to cybercriminals. That being said, some users have noted that current versions of the tool have difficulty circumventing numerous retailers’ CAPTCHA security settings because they typically appear regardless of the configurations utilized in Antidetect.

The marketplace for purchasing new Antidetect configurations currently boasts 168,333 different configurations, sortable by user agent, OS, browser, screen resolution, OS language, and Flash settings. Individual configurations are sold for $3 USD, and the latest version of Antidetect is available for sale via for $550 USD. Given the solid reputation the tool has developed over the past five years, it has become a sought-after commodity in the English-language underground where various “cracked” versions — often infected with malware — can be obtained for free.

The tools described above not only make it easier for cybercriminals to obfuscate their online identities, they are contributing to the success of illicit schemes like account takeovers (ATOs) and other types of fraud. Even as companies develop new ways to track adversaries and combat cybercrime, it’s crucial to recognize that in response, cybercriminals will persist in adapting their tactics and developing subversive countermeasures.

About the author: Luke Rodeheffer

bio

Luke is a Cybercrime Intelligence Analyst at Flashpoint, where he specializes in analyzing cyber and physical threats and actors originating in Turkey, the former Soviet Union, The Middle East, and North Africa. He has extensive previous experience as a freelance due diligence and political risk analyst covering post-Soviet Eurasia and Turkey utilizing extensive public record and open source research. Luke has been published by The Diplomat, Business Insider, Middle East Monitor and George Washington's International Affairs Review, and his research has been cited in the Wall Street Journal. Luke speaks Turkish, Russian, German, and Persian, and holds a Master's Degree in Russian, Eastern European, and Eurasian Studies from Stanford University.