Root Causes 295: Genesis Criminal Marketplace Taken Down

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We are looking at a story and this broke on April 5, 2023 and I’m just gonna read the headline which I’m getting from BBC News – Genesis Market: Popular cybercrime website shut down by Police. So, this in a lot of ways sounds like Silk Road and some of these other websites, dark web if you will, we’ve seen stories about being shut down in the past and we’ve covered some of these in the past but I think there’s some things that are if not unique a little unusual about this one.

• 

  Jason Soroko

  There definitely are a few things. Just to talk about some of the details that are on the story that broke in the BBC, 24 people arrested, 2 in England that, they know where they were. It seems to be a big operation and one of the things that was interesting is Silk Road was almost like one of the early definitive dark web sites that you would go to for buying credentials. Basically, the bad guy economy.

  And this site was pretty brazen. Apparently, it started around 2017 and wasn’t even completely hidden behind the dark web. It was basically publicly exposed. You could just go there and purchase things. One of the things I found interesting is apparently one of the big electronic arts hacks that happened recently was based on a credential that was purchased through this site for $10.00. So, amazing.

• 

  Tim Callan

  I’m just gonna read a little from the paragraph:

  Law enforcement agencies from 17 countries were involved in the raids which began on Tuesday. The operation was led by the FBI in the U.S. and the Dutch National Police working alongside the NCA in the UK, the Australian Federal Police, and countries across Europe. Globally 200 searches were carried out and 120 people were arrested.

  So, it’s big and it’s broad and it’s all over the place. But, like big and broad that’s interesting in and of itself. The other thing though that I think you and I both found was interesting was this was more than just traditional log in credentials that you could purchase. It was more than username and password.

• 

  Jason Soroko

  We’ve talked before, Tim, in this podcast about digital fingerprints which are basically a combination of everything from your common web browser header information, which is something you don’t even typically see when you are logging into a website. These are things that are logged at the web server level and various other pieces of information that can either narrow down to you or uniquely identify you, which is why we would call it a digital fingerprint. They had this information on a lot of their potential victims as well that could be purchased. So, imagine the combination, Tim, of credentials – stolen credentials – as well as a digital fingerprint to point it to you directly so that as you are floating around the web doing things you can be uniquely identified and some of that information, Tim, is going to help the bad guy who is purchasing from this site to also do things such as bypass or not be too worried about multifactor authentication.

• 

  Tim Callan

  Defeat MFA. So, not only am I gonna get your log in credentials, your username and password but I’m also gonna give you the information you need to beat the MFA.

• 

  Jason Soroko

  So, Tim, this is when we are talking about not all MFA are created equal and when we are talking about things such as multifactor identification showing its age, I think a lot of people might look at that on the service and go, I know who you work for. You are maybe shielding a stronger authentication form factor but this stuff is still good enough and then, of course, there typically is combined with a lot of Twitter rage, security professionals talking about well, it’s better than nothing. Well, nobody is arguing that.

  But I think the reason we are pointing this out, Tim, is that there is an underground economy that you might not be aware of. This story really breaks, what’s out there because the details get written nicely and there it is. It’s the bad guys have ways of not just stealing credentials and then selling them on mass, not just uniquely identifying you but also, they know. They know that a lot of you are using weaker forms of MFA and, as part of the package of what’s available to defeat your defenses, those things are also out there as part of the underground economy. That should make you think that as a security architect when you are choosing forms of authentication, you gotta put stronger locks on the door because literally the bad guys now have commoditized ways to bypass MFA, Tim.

• 

  Tim Callan

  I think that’s a good point and just to sort of paraphrase that slightly, in the past, I think there has been an implication in our discussion that the techniques to defeat MFA sometimes were advanced techniques. So, if you have a very high value target and you are expecting to be attacked by very high capability attackers then you need to worry about your MFA being defeated, but just a regular mass script kiddie style attack probably wasn’t going to go that far. But if you can purchase those kind of details in mass and build that into your mass attack then one of other thing that does is that greatly lowers the bar on the kind of target that could still be attacked even if some kind of two-factor authentication is in place. Would you agree with that assessment, Jay?

• 

  Jason Soroko

  Absolutely, Tim. It is an evolution. I’ve said this for many years. So have you, Tim. The bad guys, their technology pipeline was always way ahead of what people think and what’s amazing is just how still the bulk of attacks are fairly unsophisticated in the sense that a bad guy doesn’t have to do all this harvesting work. The bad guy can go off and procure exactly what they need to do either targeted attacks or mass attacks and it’s really just a few clicks away and a few dollars away within the underground economy.

• 

  Tim Callan

  And capabilities keep trickling down, right? Like in the ‘90s if you were doing phishing attacks, you were writing all the code from scratch. Nowadays you can do phishing attacks by buying a kit. So, the more this happens, the more technology trickles down and it becomes available to a much larger number of less sophisticated attackers, less educated and computer savvy attackers and for lower amounts of money.

• 

  Jason Soroko

  I remember back in the day when the Zeus malware, which was a type of malware that was used against banking sites typically, um, the Windows memory hooking technique which was not terribly well-known to a lot of people, when the source code for the Zeus malware became available, a lot of people look at the C-code and was like, oh, ah-ha. There was the ah-ha moment of there’s no computer being broken. Nobody is hacking anything. This is just doing what Windows was allowing you to do just by using some clever code and there wasn’t anything particularly special about it. The Zeus source code enabled that. That was a huge moment where there was a gigantic democratization of this diagonal thinking that was necessary for people to be able to do these attacks and people didn’t even have to invent it. There was the source code. Just re-use it. Therefore, it became funny to talk about the Zeus variants because they were all just using the same memory hooking technique. That’s in the weeds, Tim. That’s many years ago. We are now at the point where the most basic things that are necessary for anybody to become an attacker are just available. It’s great to hear about this website being taken down. I’m sure that that’ll disrupt the underground economy to some degree but look what it took to get there. This global police presence, an investigation. Imagine the amount of work that had to be done but there’s still tons of these types of things out there and it’s gonna take years for them - -

• 

  Tim Callan

  This is just one.

• 

  Jason Soroko

  It’s just one of many.

• 

  Tim Callan

  But still, you gotta make the progress you can make and if you think about the number of, you know, again, this article says that I believe the number was thousands possibly tens of thousands of criminals were believed to have acted on this on information available from this site. So, if you think about that expand that across a lot of attacks and there’s a whole lot of harm being done. 80-million sets of credentials and digital fingerprints ad for sale. Knocking that out I know it doesn’t solve the problem whatsoever but you gotta imagine that that’s a meaningful step on the side of law and order.

• 

  Jason Soroko

  It absolutely is and that’s great. Of course, if you are involved in this underground economy, this is big news because maybe you’re next.

  I would say though I’m not here, you’re not here, Tim, to make a lot of comment about people in the underground economy. We know it’s always going to exist. There’s always going to be black markets for these kinds of things. What I would say to everybody else, everybody on the defense side of things, is it really highlights again what is this Genesis site selling? The core of what they are selling is ways to bypass authentication. In other words, credentials. Ways to bypass MFA, which is passwords plus another form factor. Therefore, for all of you, the big lesson here is not all multifactor authentication are created equal. It's always been time to think about stronger locks on the doors because the bad guys have completely commoditized picking the locks of the weaker locks. It’s just the truth.

• 

  Tim Callan

  I agree. Excellent. So, anyway, the article if you want to look it up for yourself - Genesis Market: Popular cybercrime website shut down by Police. It’s on BBC News. I’m sure you can find this other places and thank you very much, Jay.