Russian IMPaaS industrializes high-stakes cybercrime
A pair of researchers say they have uncovered a cybercrime business model for the dark Web, one that sells behavioral biometrics.
The Netherlands-based pair call it impersonation as a service, or IMPaaS. They say they have found a marketplace in Russia selling 262,000 comprehensive, stolen user profiles, some of which are so detailed that they can be used to get around risk-based authentication.
Adding “as a service” to another activity, even cybercrime, might induce eyerolls, but the criminal enterprise described by Michele Campobasso and Luca Allodi of Eindhoven University of Technology is remarkable in its potential.
Unlike common ad-hoc attacks, in which gouts of leaked or stolen logons and passwords are sold online almost like burner phones for databases, the IMPaaS concept offers a systemic approach to theft of rich profile information, including behavioral biometrics.
Stolen passwords typically are useless after as few as one nefarious use by an attacker. Behavioral and physical biometrics, however, do not expire. And the IMPaaS model allows for updating profiles through persistent malware infection. It also allows the same profile to be sold multiple times.
The marketplace, according to the researchers’ paper, charges between 70 cents and $96 per profile.
Subscribers get “a customized software bundle,” according the researchers’ paper. The bundle includes a custom open-source browser. An extension gets purloined profiles behind which cybercriminals hide while in the IMPaaS environment.
A top-end meta-profile of a victim contains any or all of the person’s online platform profiles.
The usual targets — passwords, user agents, screen resolution, operating system and the like are table stakes.
IMPaaS profiles, which the researchers confusingly refer to as fingerprints, can indeed, contain fingerprints, but also other difficult to attain information including keystroke speed, mouse movements and times and locations when some tasks usually are conducted by the victim.
It is all information used by financial institutions in risk-based authentication, and that is no coincidence.
Risk-based authentication algorithms sic multi-factor authentication software on suspicious profiles, and if the criminal does not have the second factor, their money has been wasted.