S
C
R
E
E
N
S
H
O
T
C
O
U
R
T
E
S
Y
O
F
D
A
R
K
N
E
T
L
I
V
E
.
C
O
M
close enough to that of a previously
authenticated template that digitally
describes legitimate users.
This authenticated template is
known in the payments industry as
the user’s “digital mask.” Such masks
have two major components: a device
fingerprint (which includes device
fingerprinting factors like your commonly used IP addresses, firmware
version, installed plugins, time zone,
screen resolution, preferred window
sizes, GPU type, OS version, and browser cookies), and a behavioral profile
based on factors such as how ‘clicky’
you are when using a mouse or touch-screen online, the amount of time you
typically spend at an e-store, your usual
items of interest, the amount you usually spend, and whether you tend to
buy digital or actual goods.
However, here’s the thing: hackers
can penetrate payment systems and
steal copies of those masks. Alterna-
tively, and more likely, they can use
malware planted on poorly defended
computers and smartphones to trans-
mit device and behavioral data to them
Comprising highly detailed fake
user profiles known as digital doppel-
gängers, these entities convincingly
mimic numerous facets of our digi-
tal device IDs, alongside many of our
tell-tale online behaviors when con-
ducting transactions and e-shopping.
The result: credit card fraudsters can
use these doppelgängers to attempt
to evade the machine-learning-based
anomaly-detecting antifraud measures
upon which banks and payments ser-
vice providers have come to rely.
It is proving to be big criminal business: many tens of thousands of doppelgängers are now being sold on the dark
Web. With corporate data breaches fueling further construction of what market
analyst Juniper Research calls “
synthetic identities,” Juniper estimates online
payment fraud losses will jump to $48
billion by 2023, more than double the
$22 billion lost in 2018.
The existence of a doppelgänger
dark market was first discovered in February 2019 by security researcher Sergey
Lozhkin and his colleagues at Kaspersky Lab, the Moscow-based security
software house. His team was carrying
out their regular threat analyses on several underground dark forums, “when
we discovered a private forum where
Russian cybercriminals were hosting
information about something called
the Genesis Store,” Lozhkin says.
Fraud-on-Demand
When the security researchers gained
access to it, Genesis turned out to be
an invitation-only, crime-as-a-service,
identity-theft e-shop containing sophisticated doppelgänger datasets
mimicking 60,000 people, including,
in many cases, their stolen logins and
passwords for online shops and payment service providers. Each identity
was for sale, at prices varying from $5
to $200 (depending on the amount of
useful credit-card-hacking data each
contained.) Once launched in a browser, each doppelgänger could then be
used for fraud.
What is actually going on here, it
turns out, is the turning of one of the
major pillars of latter-day antifraud
technology against itself. To detect
fraudulent transactions in real time,
credit card companies, banks, and
payment processors use commercial
machine learning (ML) anomaly-de-tection software, which determines
whether the dataset covering the devices and behaviors of the user attempting to make a transaction are
Dark Web’s Doppelgängers
Aim to Dupe Antifraud Systems
Digital doppelgängers that fool online payment fraud
detection systems are a threat to your bank balance.
Technology | DOI: 10.1145/3374878 Paul Marks
The home page of Genesis Market, a referral market focused on scam prevention for both
vendors and buyers. As the site says, “Our mission is to create a market where scams are
not be tolerated from neither vendors nor buyers. Period.”