Genesis Market: A Hacker’s Haven of Stolen Credentials

Netacea’s Threat Research team works diligently to keep a close eye on emerging bot threats, ensuring we stay one step ahead of cybercriminals and hackers. The team recently completed an exclusive investigation into the** Genesis Market, an illegal online marketplace for stolen credentials**.

While many underground markets for stolen credentials operate from the anonymity of the dark web, Genesis Market is accessible from the open web. Access to the illegal marketplace is closely guarded by a strict invitation system, but once inside, users are presented with a well-organized one-stop-shop of stolen personal data.

This data takes the form of device fingerprints, which allow users to essentially wear the “mask” of their victim online, gaining access to all their online accounts whilst bypassing traditional anti-fraud and cybersecurity defenses.

How is the data stolen?

Cybercriminals target victims with malware and account takeover (ATO) bots to infiltrate their devices and harvest login credentials, as well as cookies, form autofill data and device fingerprints. These are then put up for sale on Genesis Market as packaged “bots” which are used to impersonate victims online.

The asking price per bot can range from as little as 70c up to around $350 depending on the amount and nature of the data. The most expensive will contain financial details to allow access to online banking accounts.

Upon purchase, consumers are provided with a custom browser to load the data into and are free to browse the internet masquerading as the hapless victim, use saved logins to access their accounts and – where login cookies exist – continue a victim’s session. All without any access to the original device.

The scale of the Genesis Market

When the Genesis Market first came to the attention of cybersecurity researchers in April 2019, there were 100,000 stolen credentials available for purchase. As of April 2021, that number has risen dramatically by 250% to over 350,000 ready-to-use bots available to buyers. Over 18,000 new stolen identities are added each month.

Professionalization of the Genesis Market

The rapid growth of the marketplace has been facilitated by the professionalization of its operation. Given the number of bots for sale, millions of dollars are being exchanged via Genesis for stolen logins and device fingerprints

At a glance, the Genesis Market could be confused with a legitimate eCommerce or software services website. It has an easy-to-use UI, terms and conditions, an FAQ, and even a multilingual support desk for customer queries.

The bots for sale are easy for anyone to use, as each purchase comes with Genesium, a customized Chromium-based antidetect browser that masks the user online as the victim whose credentials they have bought.

What does this mean for cybersecurity?

The popularity of Genesis Market and similar stolen credentials marketplaces is evidence that existing defenses against fraudulent activity are being circumvented.

Many anti-fraud defenses now rely on matching device fingerprints to credentials in order to verify a legitimate user’s identity. By infecting legitimate devices and stealing their fingerprints, Genesis Market bots can pass right through such protections.

This means that more sophisticated, AI-driven defenses are becoming more and more crucial in the face of this growing threat.

No honor amongst cybercriminals

Interestingly, the growing popularity of underground marketplaces has made them a target for hacks and leaks of their own. Proving there is no honor amongst cybercriminals, there have been several large data breaches of illegal marketplaces in recent months.

The most recent attack on Swarmshop resulted in a data dump of 623,036 stolen payment card records from around the world, plus 12,344 records of the illegal site’s admins, sellers and buyers containing the thieves’ contact information, nicknames and activity history. This was thought to be a revenge attack by rival cybercriminals.

This was not an isolated incident, as other illicit online marketplaces for ill-gotten personal information have also suffered hacks and leaks this year. Russian hacker forum Maza alongside the carding forums Verified, Carding Mafia, Dread and Club2Crd were targeted in February and March 2021 according to cybersecurity news site BleepingComputer.

These increasingly common attacks leave the stolen credentials of innocent victims even more exposed and available to bad actors.

LEARN MORE ABOUT THE GENESIS MARKET

Netacea’s Threat Research team has uncovered shocking details of the growth and tactics of cybercriminals making huge profits by selling stolen credentials. To learn more about the Genesis Market, read our comprehensive report or watch the webinar with Matthew Gracey-McMinn, Netacea’s Head of Threat Research.