Cybernews
  • News
  • Editorial
  • Security
  • Privacy
    • What is a VPN?
    • What is malware?
    • How safe are password managers?
    • Are VPNs legal?
    • More resources
    • Strong password generator
    • Personal data leak checker
    • Antivirus software
    • Best VPN services
    • Password managers
    • Secure email providers
    • Best website builders
  • Follow
    • Twitter
    • Facebook
    • YouTube
    • Linkedin
    • Flipboard
    • Newsletter

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

Our readers help us create quality content. If you purchase via links on our site, we may receive affiliate commissions. Learn more

Home » Security » The criminal market in online profiles

The criminal market in online profiles

by Adi Gaskell
23 February 2021
in Security
0
Red fake account button

© Shutterstock

15
SHARES

One of the earliest memes describing the internet posited that on the web, no one knows you’re a dog. The meme highlighted the often anonymous nature of the internet in those days, with Usenet groups and other online communities typically populated by people operating behind a pseudonym. This made it relatively easy to create fake accounts to manipulate activity, and even some of the biggest communities online, such as Reddit, engaged in the creation of fake accounts to make themselves appear more active than they were in their early days.

The introduction of social networks, such as MySpace, LinkedIn, and Facebook changed the picture somewhat, as they required users to register using their real names. While ostensibly this should help to improve the reliability of the platforms and give us confidence that we are actually talking to who we think we are, new research from the Eindhoven University of Technology highlights how big the business still is in the trade of fake online profiles.

The researchers describe an online marketplace where hundreds of thousands of extremely detailed and realistic online profiles are traded every day. These accounts use sophisticated “fingerprints” to allow criminals to bypass any authentication systems that platforms have to control access. 

Trading humans

Of course, not all of these accounts are fake, and many are simply accounts that have been compromised, thus providing hackers not only with access to potential sock puppet accounts but also extremely valuable information, such as the person’s credit card details.

The scale of the problem is enormous, with recent estimates suggesting nearly 2 billion stolen identities are traded on the dark web each year.

This booming business has prompted online platforms, from banks to e-commerce sites, to up their game in terms of user authentication and security. The most common method is two-step authentication, but the internet giants are increasingly using risk-based authentication (RBA) to bolster their security further.

RBA uses digital fingerprints to determine someone’s identity. These fingerprints include a range of measures, including the browser and operating system used by the account, together with more complex measures, including keystroke speed, mouse movements, and location.

If the behavior of the user matches the historic behavior of the account during a new log-in, then their username and password are generally sufficient to access the service. If it isn’t the case, then a further level of authentication is triggered.

Retaining value

The research found that even this seemingly sophisticated authentication is insufficient to stop cybercriminals from cracking it. Indeed, the marketplace analyzed by the researchers had over 260,000 such fingerprints on them, along with the email addresses and passwords associated with those accounts.

The authors highlight how these marketplaces not only have huge scale, in terms of the number of profiles available, but they also work to continuously update these profiles so that they retain their value over time.

The trade undertaken on the platform is also highly sophisticated, with attackers using detailed searches to find precisely the right person to target in their spear phishing campaigns. Indeed, there was also software available that would allow criminals to automatically load any profiles they had purchased in the specific websites they were targeting.

Risky business

The researchers also underlined the fundamental difficulties associated with making their findings. Obviously, the criminals behind these marketplaces don’t wish their work to be given such public exposure, and access to the platform is strictly on an invite-only basis, with existing users referring all newcomers directly.

The operators of the platform also regularly monitor activity to try and detect potentially malicious activity, which made harvesting data extremely difficult. They were also concerned about potential reprisal attacks from the criminal gangs behind the site, hence why they kept its identity anonymous in their paper.

The value of each profile on the platform varies, with identities ranging from just $1 up to $100, with the most valuable profiles being those linked to cryptocurrency accounts.

Similarly, accounts that are associated with a range of services are also valuable, as are those with actual fingerprints rather than those generated by the platform.

The researchers describe how criminals have been using the accounts to perform a range of attacks. For instance, one attack they discovered saw the criminal establish specific filters in the email account of their victim, with this allowing them to buy things on Amazon without the victim ever seeing the confirmation emails from the e-commerce giant.

It seems that as the web has evolved, not only do legitimate and criminal actors alike know all too well that you’re a dog, but also what breed, color, age, and browser you use too. With the value of our identities rising, the challenges involved in securing them grow ever greater.

Share15TweetShareShare
Next Post
Best website builders for artists

Best website builders for artists

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Editor's choice

COMb data leak - Mother of all breaches
News

COMB: largest breach of all time leaked online with 3.2 billion records

by Bernard Meyer
12 February 2021
37

It's being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of...

Read more
14 million Amazon and eBay accounts sold online in new leak

14 million alleged Amazon and eBay account details sold online

17 February 2021
The hype around quantum computing: it’s not too early to get in

The hype around quantum computing: it’s not too early to get in

15 February 2021
Facebook phishing campaign that tricked nearly 450,000 users in Germany is now spreading in the UK

Facebook phishing campaign that tricked nearly 450,000 users in Germany is now spreading in the UK

15 February 2021
Cyberpunk 2077 maker CD Projekt Red has GWENT source code leaked after ransomware attack

Cyberpunk 2077 maker CD Projekt Red has GWENT source code leaked after ransomware attack

10 February 2021
  • Categories
    • News
    • Editorial
    • Security
    • Privacy
  • Reviews
    • Antivirus Software
    • Password Managers
    • Best VPN Services
    • Secure Email Providers
    • Website Builders
  • Tools
    • Password generator
    • Personal data leak checker
  • Engage
    • About Us
    • Send Us a Tip
    • Careers
  • Twitter
  • Facebook
  • YouTube
  • Linkedin
  • Flipboard
  • Newsletter
  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!