The criminal market in online profiles

One of the earliest memes describing the internet posited that on the web, no one knows you’re a dog. The meme highlighted the often anonymous nature of the internet in those days, with Usenet groups and other online communities typically populated by people operating behind a pseudonym. This made it relatively easy to create fake accounts to manipulate activity, and even some of the biggest communities online, such as Reddit, engaged in the creation of fake accounts to make themselves appear more active than they were in their early days.

The introduction of social networks, such as MySpace, LinkedIn, and Facebook changed the picture somewhat, as they required users to register using their real names. While ostensibly this should help to improve the reliability of the platforms and give us confidence that we are actually talking to who we think we are, new research from the Eindhoven University of Technology highlights how big the business still is in the trade of fake online profiles.

The researchers describe an online marketplace where hundreds of thousands of extremely detailed and realistic online profiles are traded every day. These accounts use sophisticated “fingerprints” to allow criminals to bypass any authentication systems that platforms have to control access. 

Trading humans

Of course, not all of these accounts are fake, and many are simply accounts that have been compromised, thus providing hackers not only with access to potential sock puppet accounts but also extremely valuable information, such as the person’s credit card details.

The scale of the problem is enormous, with recent estimates suggesting nearly 2 billion stolen identities are traded on the dark web each year.

This booming business has prompted online platforms, from banks to e-commerce sites, to up their game in terms of user authentication and security. The most common method is two-step authentication, but the internet giants are increasingly using risk-based authentication (RBA) to bolster their security further.

RBA uses digital fingerprints to determine someone's identity. These fingerprints include a range of measures, including the browser and operating system used by the account, together with more complex measures, including keystroke speed, mouse movements, and location.

If the behavior of the user matches the historic behavior of the account during a new log-in, then their username and password are generally sufficient to access the service. If it isn't the case, then a further level of authentication is triggered.

Retaining value

The research found that even this seemingly sophisticated authentication is insufficient to stop cybercriminals from cracking it. Indeed, the marketplace analyzed by the researchers had over 260,000 such fingerprints on them, along with the email addresses and passwords associated with those accounts.

The authors highlight how these marketplaces not only have huge scale, in terms of the number of profiles available, but they also work to continuously update these profiles so that they retain their value over time.

The trade undertaken on the platform is also highly sophisticated, with attackers using detailed searches to find precisely the right person to target in their spear phishing campaigns. Indeed, there was also software available that would allow criminals to automatically load any profiles they had purchased in the specific websites they were targeting.

Risky business

The researchers also underlined the fundamental difficulties associated with making their findings. Obviously, the criminals behind these marketplaces don't wish their work to be given such public exposure, and access to the platform is strictly on an invite-only basis, with existing users referring all newcomers directly.

The operators of the platform also regularly monitor activity to try and detect potentially malicious activity, which made harvesting data extremely difficult. They were also concerned about potential reprisal attacks from the criminal gangs behind the site, hence why they kept its identity anonymous in their paper.

The value of each profile on the platform varies, with identities ranging from just $1 up to $100, with the most valuable profiles being those linked to cryptocurrency accounts.

Similarly, accounts that are associated with a range of services are also valuable, as are those with actual fingerprints rather than those generated by the platform.

The researchers describe how criminals have been using the accounts to perform a range of attacks. For instance, one attack they discovered saw the criminal establish specific filters in the email account of their victim, with this allowing them to buy things on Amazon without the victim ever seeing the confirmation emails from the e-commerce giant.

It seems that as the web has evolved, not only do legitimate and criminal actors alike know all too well that you’re a dog, but also what breed, color, age, and browser you use too. With the value of our identities rising, the challenges involved in securing them grow ever greater.