Blog, Events & News

Anti-Fingerprint Browsers: What You Need to Know

By Sabrina / 23rd Nov 2020

Client-side technology (such as JavaScript) can be used to create a unique “fingerprint” for a specific device/browser combination, which can be used to modify functionality or detect returning users.

Some fraud prevention tools will use fingerprinting to block transactions from browsers that have been previously identified as insecure or involved in fraudulent activity.

Cybercriminals have developed browser software that can replicate these fingerprints and therefore appear to be visiting from the devices of legitimate human users.

In this blog, we delve deeper into what these browsers are and how cyber-criminals are spoofing them.

1. What is a browser fingerprint?

A browser fingerprint is an identifier that is constructed by analysing the technical configuration of a given browser, made up of things such as the browser’s language, installed plugins and fonts, how graphics are rendered and details of the operating system (OS).

Historically, browser fingerprinting was used primarily for security and fraud prevention (particularly preventing click fraud), but with the limitations placed on tracking cookies in modern browsers, browser fingerprinting is increasingly also being used as a means of tracking users.

Uniqueness is used to identify one user from another. Each website visitor is expected to have a unique fingerprint making them identifiable from other users.

2. How are browser fingerprints used?

When users make a web request, they include within that request details of the device and web browser that they are using, known as a “User Agent”. However, this is set by the device making the request and therefore can be easily faked. Browser fingerprinting was developed as a means of being able to reliably detect the browser and type of device that the request was coming from.

The original purpose of browser fingerprinting was to prevent fraudulent activity such as click fraud. Because automated click activity wasn’t executed from consumer browser/device combinations, this was something that could be easily detected with browser fingerprinting.

Over time the specificity of browser fingerprints has increased dramatically such that a typical fingerprint will draw data from hundreds of different data points and can now be used to identify specific individual devices and in some cases, specific user accounts that the device is logged in to.

They have also been adapted for use in wider bot management technology. Originally bots were detected through proof of work (bots used automation, humans used real browsers so check if the user can execute JavaScript), as bots became more sophisticated and started using tools that can execute client-side functionality (Selenium, PhantomJS), simple proof of work was augmented by device fingerprinting to build a picture of the device that is making the request. Does it look like a device a human would use? Has it been seen making other requests in a manner that may be suspicious?

As governments and browser manufacturers are starting to clamp down on the use of cookies for tracking users, there is a trend for repurposing browser fingerprinting to be used as a tracking device for an individual user to gain the maximum value from re-targeted advertising.

Anti-fingerprint browser

3. How are browser fingerprints being spoofed?

The growth in the use of browser fingerprints has led to the creation of anti-fingerprint browsers which intercept the requests used to build the browser fingerprint and return spoofed responses.

Anti-fingerprint browsers have a legitimate use, they are used by privacy advocates as a means of preventing user tracking on the internet by returning a standard fingerprint, regardless of the user, device or browser being used.

However, these tools can also be used to return a fraudulent fingerprint that will impersonate a different browser or device. Technology is available to dynamically create fingerprints to meet the specific requirements of the user that attackers want to impersonate.

Recently, there has been a more disturbing trend, rather than creating fingerprints that look like legitimate users, fingerprints are being stolen from real user devices, usually by malware installed within user’s browsers. When imported into the right anti-fingerprinting browser, that browser can appear to be the user in question, including giving access to any systems that user was logged in to.

There is a growing market on the dark web for either dynamically created or stolen browser fingerprints to be used in targeted bot attacks and other fraudulent activity. The value of the fingerprints varies depending on the nature of the user – users with a rich cookie history who are logged in to major sites like Facebook, Google or even financial institutes can be valued at over $100 each.

4. How does Netacea detect spoofed fingerprints?

Netacea doesn’t need to detect spoofed fingerprints as it doesn’t use any browser fingerprint detection for bot management at all, this is broadly for two reasons.

Solutions that put control into the hands of attackers are routinely reverse engineered and bypasses are built around them. Browser fingerprinting is easily spoofed now, and the market is available for fingerprints to be bought and sold and therefore to be enacted by attackers with lower levels of technical expertise.

Major browser vendors such as Mozilla and Apple are concerned about the privacy implications that allowing browser fingerprinting imposes. In response they have sought to prevent users being identified using browser fingerprints, limiting access to the functionality that has traditionally been used to build fingerprints.

It would be a waste of engineering effort to start or continue to use browser fingerprints for bot detection when they can be so easily spoofed and are being removed from major browsers anyway.

Netacea’s approach to anti-fingerprint browsers

The growth of anti-fingerprint browsers causes a major problem to the detection methods of most of the bot detection market. However, Netacea detects bots by looking at what those bots are doing on your server. After all, it is at the server that you care what bots are doing, and the server is an area that is completely under your control. Netacea assumes that any checks made on the client side will always be bypassed or spoofed and therefore the growth of anti-fingerprint browsers is irrelevant to our detection methods.

Our approach evolves over time to ensure your bot defence becomes stronger, as the bots develop in sophistication.

At Netacea, we combine the output from our Intent Analytics™ engine with the insights gained working alongside our customers, to understand how the system we are protecting works (after all they understand their system better than anyone), to understand the important areas of their system such as login, search and checkout. This enables us to start mapping functionality and to get an idea of typical user behaviour, good and bad actors, partners, internal users and so on.

The Intent Analytics engine analyses millions of requests, signals and patterns to quickly and accurately identify bots from humans. Our solution gives you the actionable intelligence you need, when you need it, enabling you to respond in real-time.

To find out more about how Netacea detects and stops malicious bots, contact our team today.