Communications of the ACM

S C R E E N S H O T C O U R T E S Y O F D A R K N E T L I V E . C O M

close enough to that of a previously authenticated template that digitally describes legitimate users.

This authenticated template is known in the payments industry as the user’s “digital mask.” Such masks have two major components: a device fingerprint (which includes device fingerprinting factors like your commonly used IP addresses, firmware version, installed plugins, time zone, screen resolution, preferred window sizes, GPU type, OS version, and browser cookies), and a behavioral profile based on factors such as how ‘clicky’ you are when using a mouse or touch-screen online, the amount of time you typically spend at an e-store, your usual items of interest, the amount you usually spend, and whether you tend to buy digital or actual goods.

However, here’s the thing: hackers
can penetrate payment systems and
steal copies of those masks. Alterna-
tively, and more likely, they can use
malware planted on poorly defended
computers and smartphones to trans-
mit device and behavioral data to them
Comprising highly detailed fake
user profiles known as digital doppel-
gängers, these entities convincingly
mimic numerous facets of our digi-
tal device IDs, alongside many of our
tell-tale online behaviors when con-
ducting transactions and e-shopping.
The result: credit card fraudsters can
use these doppelgängers to attempt
to evade the machine-learning-based
anomaly-detecting antifraud measures
upon which banks and payments ser-
vice providers have come to rely.

It is proving to be big criminal business: many tens of thousands of doppelgängers are now being sold on the dark Web. With corporate data breaches fueling further construction of what market analyst Juniper Research calls “ synthetic identities,” Juniper estimates online payment fraud losses will jump to $48 billion by 2023, more than double the $22 billion lost in 2018.

The existence of a doppelgänger dark market was first discovered in February 2019 by security researcher Sergey Lozhkin and his colleagues at Kaspersky Lab, the Moscow-based security software house. His team was carrying out their regular threat analyses on several underground dark forums, “when we discovered a private forum where Russian cybercriminals were hosting information about something called the Genesis Store,” Lozhkin says.

Fraud-on-Demand

When the security researchers gained access to it, Genesis turned out to be an invitation-only, crime-as-a-service, identity-theft e-shop containing sophisticated doppelgänger datasets mimicking 60,000 people, including, in many cases, their stolen logins and passwords for online shops and payment service providers. Each identity was for sale, at prices varying from $5 to $200 (depending on the amount of useful credit-card-hacking data each contained.) Once launched in a browser, each doppelgänger could then be used for fraud.

What is actually going on here, it turns out, is the turning of one of the major pillars of latter-day antifraud technology against itself. To detect fraudulent transactions in real time, credit card companies, banks, and payment processors use commercial machine learning (ML) anomaly-de-tection software, which determines whether the dataset covering the devices and behaviors of the user attempting to make a transaction are

Dark Web’s Doppelgängers
Aim to Dupe Antifraud Systems

Digital doppelgängers that fool online payment fraud detection systems are a threat to your bank balance.

Technology | DOI: 10.1145/3374878 Paul Marks

The home page of Genesis Market, a referral market focused on scam prevention for both vendors and buyers. As the site says, “Our mission is to create a market where scams are not be tolerated from neither vendors nor buyers. Period.”