When digital identity is mentioned, most people think about attributes related to a person, such as login credentials, Social Security numbers, and biometrics. While these are critical aspects of identity theft and online fraud, there's another element that's not as widely recognized. I call it your digital identity's evil shadow. It follows you around wherever you go. It looks like you. It acts like you. Yet its attributes can't be directly traced back to you. This shadow is shady, as it is harvested and used without your knowledge to conduct automated attacks against online businesses.
Looks Like You
Recently, it has been reported that proxy service companies are offering compensation to developers to insert code into a browser extension so that it can route Web traffic on behalf of an unsuspecting user. It essentially acts as a residential proxy where people can remain anonymous — at the expense of others. As a result, the traffic appears as though it is coming from the victim's Internet address and not the actual user.
Other proxy services such as Luminati (now Bright Data) and MonkeySocks also offer residential and commercial proxy services and have similar backdoor ways of harvesting information, such as by inserting their code into virtual private network (VPN) software. Some residential proxy networks even let you purchase IPs for specific countries or historical website visitors to help them blend in with normal traffic.
To be fair, these services do offer legitimate purposes for enterprise companies, such as website testing and fraud protection. But when in the wrong hands, they are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents. There's a high likelihood that your digital identity's evil shadow is unknowingly being harvested and made available for purchase — along with hundreds of millions of others — for both good and nefarious purposes.
Acts Like You
To fly beneath the radar of modern security defenses, it's not enough just to look like you; your shadow must also act like you.
Combined with a residential proxy service, open source and free scripting tools, such as Puppeteer and Playwright, are applied to mimic human behavior. These types of tools are loved by developers because they provide a way to automate test scripts to do quality assurance (QA) for Web applications. But they are also loved by bot operators because they provide a means to emulate human behavior while leveraging the benefits of automation at scale.
In fact, it is now easy to record testing scripts with a simple Chrome plugin, where the tool records the user's activity and thereby eliminates the need for code to generate scripts. Meanwhile, the open source community has developed its own plugins that provide stealth evasion techniques, including automated and manual CAPTCHA solving, so the benefits of using familiar headless browser automation tools can be applied at scale while acting as human as possible.
Ease of Access
It's easy to gain access to residential proxy networks (and turnkey bot tools that leverage them) from hundreds of options to choose from online. I downloaded one of the free bots, and in just two minutes of running it, I observed:
- Geographically distributed IP addresses: I found 150 different IP addresses — only one of which issued more than one request. It would take several hours before any IP address was reused.
- Legitimate-looking user agents: In the next few minutes, roughly 518 unique user agents were generated and used. Most of these agents presented themselves as legitimate, modern devices able to mask their true identity by appearing normal.
The rotation of user agents and proxies creates a nearly unrecognizable, invisible effect to prevent detection.
What You Can Do
Applying security controls that can accurately detect requests that look and act like you can seem like an impossible challenge because you must determine whether it is the human (good) or its evil shadow (bad). Looking at attributes such as IP address, user agents, validated CAPTCHAs, and even machine learning algorithms tuned to identify suspicious behavior yields inconsistent detection and false positives. After all, the last thing you want to do is block your legitimate users.
There are two approaches to ridding yourself of the impact of digital shadows. The first is to better control the availability of such tools and, in some cases, challenge their legality. This seems highly unlikely to work because history has taught us that when there is profit to be made, such tools and services will continue to prevail. They also serve legitimate purposes because developers will always need to test their applications in as realistic an environment as possible.
The second is a fundamentally different approach to detection. In contrast to traditional security controls, new methods don't make decisions based on how a request looks and acts. Instead, they detect the presence of automation. For example, if you can determine how a request presents itself in the context of a legitimate browser or mobile app, you can identify evidence to determine whether it is a human or not.
This is very much analogous to what happened with endpoint security, whereby rules and signatures became ineffective and new ruleless methods were developed to identify vulnerabilities and malware. This paradigm shift is necessary for Web and mobile application security to sustain its effectiveness against modern, evolving automated threats.