Much like a virus that continually mutates to render previously-effective vaccines obsolete, cybercriminals’ ongoing development of new anonymizing technologies empowers them to obfuscate their identities while carrying out illicit schemes. Throughout the Russian-language underground in particular, many adversaries have been known to spend hundreds of dollars on tools designed to help them sidestep the latest anti-fraud mechanisms being deployed by financial institutions, retailers, and others. As more organizations implement new tracking and fingerprinting methods, cybercriminals continue to upgrade their technologies to subvert defender countermeasures.
To better understand how anonymizing technologies are contributing to the proliferation of cybercrime, Flashpoint analysts embarked on a research project to determine the most popular software packages among members of the Russian-language underground.
A more recent addition to the arsenal of tools available to Russian-speaking cybercriminals, Linken Sphere is a powerful browser package designed for the dedicated purpose of establishing and recycling online identities. The tool first appeared in July 2017 and includes traffic tunneling and processor mapping features to help adversaries gain unauthorized access to targeted networks. Other features include an “off-the-record mode,” as well as a simplified process for importing and exporting cookies between sessions.
For each browsing session, users can either load their own user agent information, or choose from several dozen preconfigured proxy user agents to spoof activity on operating systems such as Mac, Windows, Linux, Android, and iOS. Users can also set the GPS coordinates of their choosing to mask their location. After setting the configurations for a browsing session, users are forwarded to a browser fingerprinting service to verify their anonymity. To create the impression that their activity is being carried out by multiple individuals, adversaries can generate unique fingerprints for individual sessions within separate browser tabs.
Linken Sphere can be rented for about $100 per month on several Russian-language underground forums. Relatively uncommon for an underground product, Linken Sphere’s launch campaign featured a high-quality promotional video that has since received over 1,000 views since it was uploaded to YouTube.
Another recently-launched tool gaining attention among Russian cybercriminals is an anonymity and spoofing service known as Whatleaks, which began to aggressively advertise across lower- and upper-tier Russian-language forums in June 2017. That being said, the tool has actually been circulating throughout the Deep & Dark Web since August 2015, billed as a simple method of verifying the IP address associated with a machine.
While users concerned with maintaining their anonymity online have frequently used website services such as Browserleaks or Whoer to check how well their configurations are hiding traces of their online identity, Whatleaks goes much further than these better-known free fingerprinting services and utilizes almost two dozen different parameters for fingerprinting online visitors. First, Whatleaks identifies user configurations based on browser and operating system. Next, unique hash IDs are generated for a variety of different data released by the browsers. After running the tool, users can save the unique browser fingerprint generated, compare new fingerprints, and align their own settings with past configurations used for cybercriminal activities.
On July 18, 2017, Whatleaks announced a new feature that would allow subscribers to download fingerprints that belong to ordinary Internet users. The subscription service costs $19 USD for thirty days of access to a fingerprint database with nearly 150,000 unique fingerprints searchable by country and browser. Users can also order the custom fingerprints at a cost that varies based on the targeted website.
Browser-Antidetect is a tool with a longer presence in the cybercriminal underground, marketed by a well-known threat actor on an elite Russian-language cybercrime forum. The tool’s users frequently claim that it quickly pays for itself, with some even lauding it as the best obfuscation tool on the market. The tool’s client base purportedly consists of only a few dozen elite cybercriminals, which allows for careful consideration of each customer’s needs and justifies the tool’s $5,000 USD price tag.
Like Linken Sphere, Browser-Antidetect can be used to create fingerprints corresponding with various operating systems. Browser-Antidetect is built from the Chrome browser’s source code, which differentiates it from tools based in Firefox. Versions 4.0 and above allow the imitation of Network Address Translation (NAT) and WiFi in WebRTC packets as well. Version 5.1, the latest release of the tool, was announced on July 4, 2017. Versions 4.0 and above allow the imitation of Network Address Translation (NAT) and WiFi in WebRTC packets.
The marketplace for purchasing new Antidetect configurations currently boasts 168,333 different configurations, sortable by user agent, OS, browser, screen resolution, OS language, and Flash settings. Individual configurations are sold for $3 USD, and the latest version of Antidetect is available for sale via for $550 USD. Given the solid reputation the tool has developed over the past five years, it has become a sought-after commodity in the English-language underground where various “cracked” versions — often infected with malware — can be obtained for free.
The tools described above not only make it easier for cybercriminals to obfuscate their online identities, they are contributing to the success of illicit schemes like account takeovers (ATOs) and other types of fraud. Even as companies develop new ways to track adversaries and combat cybercrime, it’s crucial to recognize that in response, cybercriminals will persist in adapting their tactics and developing subversive countermeasures.