Today the Dutch police, together with the FBI and Europol, took down a large criminal trading platform. Furthermore, hundreds of users of this platform have been arrested worldwide. The platform, called the Genesis Market, was used to sell stolen user information.
In this post we will describe how this platform operated, what you can do to check if your data was also offered for sale, and what role Computest played in this investigation.
What is the Genesis Market?
Platform Genesis Market is a trading platform offered by criminals for criminals. The FBI discovered that this platform is used by criminals to buy so called 'online fingerprints'. A buyer can use these fingerprints to access the online accounts (such as PayPal, webshops, investment accounts, crypto exchanges, etc.) of their victims. The platform was accessible only by invitation, meaning that new users cannot join unless they had been invited by an existing member.
Over the years, more than 1.6 million 'bots' (how the Genesis Market refers to online fingerprints) were offered for sale, which is assumed to have affected over 2 million victims all over the world. The data was stolen from computers infected with malware which was distributed through multiple methods. For example, one of these methods was distributing infected copies of illegally downloaded software. Another method was by using Google Ads to redirect users searching for specific legitimate software to malicious websites hosting infected versions of the software they were looking for.
The price per bot was determined by the data that was compromised. For example, bots with compromised credit card details or with an account on a crypto exchange would be much more expensive than one with only an account on a webshop. Prices ranged from a few dollars to a couple hundred dollars per bot.
What exactly was being traded?
The Genesis Market traded in so called 'online fingerprints'. In short, the buyers would gain access to the data stored in your browser. This includes the saved usernames and passwords, which could be used by the buyers to log into the websites as if they were the victims. They also stole the cookies stored in the browser. This meant that the buyers would get access to all active sessions as well. For example, if you were still logged in on your (work) email account, then the attackers would not need to log in.
Buyers also got the unique online fingerprint of the system. Many sites try to determine if a login attempt comes from a trusted system, for example from a browser that has been seen before. If the system is trusted, then certain extra verification steps are sometimes skipped. For example, the service might not ask you to enter a multi-factor authentication code. By being able to copy the exact fingerprint of the system, the buyer can avoid these extra verification steps and avoid detection.
Who buys this data?
Account details and online fingerprints are mainly popular for criminals using them for fraud. For example, by ordering products at webshops or stealing crypto wallets. The data could possibly also be used to gain access to company networks, for example for spreading ransomware.
Check if your data was being traded
The Dutch police has set up a special website where you can check if your data was offered on the Genesis Market. Go to https://politie.nl/checkyourhack and enter your email address. You can immediately see if you have been hacked.
Are your details included? Oh no! But, with these tips you can make it as hard as possible for the criminals to use your data:
- Log out on all important services where you were logged in, like your (work) email. This ensures that the stolen cookies are no longer valid.
- Reinstall your computer. Sadly, this is necessary to ensure that the malware is removed from your system completely. It is important to perform this step before continuing with the next steps.
- Finished reinstalling your computer? Great, the malware can no longer look over your shoulder. Now you can change your passwords everywhere. Use a strong and unique password for each website. If you can't remember that many good passwords, you can use a password manager (for example 1Password, Bitwarden or iCloud Keychain).
- Remain alert the following weeks for suspicious behavior on online accounts, for example on your bank accounts, crypto exchanges, etc.
- Take a deep breath, you have locked the criminals out of your important data!
- Read the tips below to ensure that this doesn't happen again.
Prevent getting hacked
Your data was not offered for sale? Great! With these tips you make sure that the odds of this happening in the future are as small as possible:
- Install (security) updates for your system as quickly as possible.
- Use antivirus software to prevent malware from infecting your system.
- Most infections happened due to installing (illegally) downloaded software. Only use legally downloaded software and make sure you only download it directly from the vendor.
- Use a strong and unique password for each website. If you can't remember that many good passwords, you can use a password manager (for example 1Password, Bitwarden or iCloud Keychain).
- Enable multi-factor authentication (sometimes called two-factor authentication or 2FA) wherever possible.
What did the police do?
On the 4th of April, police services worldwide arrested hundreds of users of this platform. These users are suspected of buying and abusing the data stolen from the victims. In addition, the domain of the platform has been taken over to hinder the use of this platform in the future.
In addition, the police is attempting to contact the victims to allow them to take the proper measures to protect their data. For this, go to https://politie.nl/checkyourhack.
How did Computest contribute?
The Dutch industry organization Cyberveilig Nederland and the police started an initiative to improve cooperation between public and private parties. We gladly contributes to this. Besides us Trellix also offered their services. During this investigation our security researchers were asked to offer their technical expertise. We’ve investigated the technical functionality of the malware and the tooling used by the buyers. The goal was to see how to best help the victims and to improve identification of the buyers.