The Resecurity® HUNTER unit has identified a new tool available for sale in the Dark Web called MASQ, enabling bad actors to emulate device fingerprints thus allowing them to bypass fraud protection controls, including authentication mechanisms. One of the prominent new features is the support of Smart TVs digital fingerprints of brands such as Philips, Samsung, Sharp and Sony, the tool also supports digital fingerprint spoofing of modern gaming consoles including the PlayStation and Xbox One.
Dark Web actors are actively leveraging such tools known as ‘anti-detect’ which enables account takeover (ATO) – to access compromised consumer accounts of various online-services and e-mail providers, also granting the ability to perform fraudulent transactions without being flagged by the current anti-fraud solutions.
Cybercriminals are exploiting weaknesses in modern anti-fraud solutions by spoofing device fingerprints used by legitimate participants of online-banking, e-commerce and online-service transactions. By doing so it makes it close to impossible when trying to differentiate the stolen digital identities used for illegal purposes and the victims’ digital identity for legitimate purposes. Such activity is not limited to just payments – bad actors are also abusing social media and e-mail accounts using such tools.
Popular fraud-prevention solutions rely on a consortium of data harvested from variety of sources to authenticate user and device identity, by analyzing a vast collection of digital fingerprints extracted from consumers transactions and online activity. Common examples of such “fingerprints” logged by these systems include the IP address, browser information, device characteristics, screen resolution, time zone, language settings and the browser plugins installed.
Other more granular fingerprints include the video and memory cards hardwired into the device, open ports and service fingerprints, the WebGL debug vendor, hardware characteristics (RAM memory, number of CPUs available), firmware and hardware IDs, and other details which are possible to collect from consumer machine remotely using Java Script, HTML 5, WebRTC (Web Real-Time Communications) and other technologies.
There are over 100 user and device fingerprints that anti-fraud systems can cross-reference to authenticate the end user. Apart from these fingerprints, behavioral analysis of social networks, third-party cookie checks, website clicks, and touchscreen behavior comprises a secondary component of anti-fraud monitoring systems. All of that – can be easily be spoofed and bypassed with help of the new MASQ tool.
Having credentials to a particular account, with help of MASQ, cybercriminals are re-using stolen cookie files from the victim, and spoofing device fingerprints, – essentially making them look the same as the victim.
Fraud prevention engines with knowledge of existing customers and the fingerprints associated with them typically won’t be flagged as “suspicious” or will be assigned an extremely low risk-score due to possible IP address difference, but it will be enough to complete a transaction. With active growth of consumers using mobile devices bad actors are using such tactics more often, spoofing the victim’s device on mobile allows them to gain access to compromised accounts.
MASQ provides integrated Cookie Editor allowing to import it from the file and to edit it using visual editor
There are various marketplaces with stolen credentials and cookies available in Dark Web such as Genesis Store and Russian Marketplace – where the majority of data is coming from malicious code distribution and botnet activity conducted by cybercriminals globally.
By using MASQ and sophisticated device fingerprints spoofing the bad actors are targeting consumers of major online-retailers and e-commerce platforms
In certain cases, proper device fingerprint spoofing may allow to bypass 2FA due to a possible cached session which may be still valid and let the bad actor to access account without entering OTP again.
MASQ provides a broad collection of authentic device fingerprints provided via integrated marketplace. The tool is available for $130 and each new device fingerprint starts from $1. The marketplace includes over 70 fingerprints divided into 6 categories ranging from mobile devices, tablets to Smart TVs and gaming consoles including Sony Playstation, Xbox and Nintendo.
Modern gaming consoles are frequently used by consumers to perform various transactions and internal in-game purchases using popular payment systems and credit cards. With rapid growth of the e-gaming industry – threat actors are profiting from hacked players accounts, and abuse other platforms interconnected with them.
The same is applicable with Smart TVs and integrated in-app transactions allowing to buy paid content and other commercially available services and subscriptions. The appearance of this feature in MASQ will obviously simplify fraud with e-gaming platforms and smart devices – generating huge profits for cybercriminals by abusing their marketplaces.
Based on assessment of Resecurity, some anti-fraud systems have a different detection logic when they see the end user’s activity originating from mobile device such as smart phone or tablet. In more exotic cases, for example, Smart TV, some anti-fraud systems are not able to perform more in-depth analytics – risking to add more discomfort to the end user.
“This is definitely a new step in the niche of anti-detects in the underground market. Threat actors are constantly evolutionizing the tooling used to perform fraud and account takeover. MASQ – is a great example of it.” – said Saraj Pant, cyber threat intelligence analyst with Resecurity, Inc.
“Such tools represent the greatest risk for online-transactions and used for card-not-present (CNP) fraud. It is extremely important to track the appearance of such tools in Dark Web and to use this knowledge to develop more advanced and intelligent digital identity authentication and fraud prevention controls.” – he added.
The tool also supports popular browsers including Google Chrome and Microsoft Edge, and integration with underground proxy services for traffic tunneling.
Current version of MASQ – 0.198. The latest release has been dated June 13, 2021. According to experts the tool has already deserved reputation of a strong competitor to anti-detects like Linken Sphere based on the reviews observed on various underground marketplaces and communities.
About the author: Saraj Pant
Saraj Pant is a cyber threat intelligence analyst at Resecurity, Inc.
(SecurityAffairs – hacking, MASQ tool)