Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

// // //
4/29/2021
01:00 PM
Sam Crowther
Sam Crowther
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

Your Digital Identity's Evil Shadow

In the wrong hands, these shady shadows are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents.

When digital identity is mentioned, most people think about attributes related to a person, such as login credentials, Social Security numbers, and biometrics. While these are critical aspects of identity theft and online fraud, there's another element that's not as widely recognized. I call it your digital identity's evil shadow. It follows you around wherever you go. It looks like you. It acts like you. Yet its attributes can't be directly traced back to you. This shadow is shady, as it is harvested and used without your knowledge to conduct automated attacks against online businesses.

Looks Like You
Recently, it has been reported that proxy service companies are offering compensation to developers to insert code into a browser extension so that it can route Web traffic on behalf of an unsuspecting user. It essentially acts as a residential proxy where people can remain anonymous — at the expense of others. As a result, the traffic appears as though it is coming from the victim's Internet address and not the actual user.

Related Content:

How the Biden Administration Can Make Digital Identity a Reality

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Other proxy services such as Luminati (now Bright Data) and MonkeySocks also offer residential and commercial proxy services and have similar backdoor ways of harvesting information, such as by inserting their code into virtual private network (VPN) software. Some residential proxy networks even let you purchase IPs for specific countries or historical website visitors to help them blend in with normal traffic.

To be fair, these services do offer legitimate purposes for enterprise companies, such as website testing and fraud protection. But when in the wrong hands, they are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents. There's a high likelihood that your digital identity's evil shadow is unknowingly being harvested and made available for purchase — along with hundreds of millions of others — for both good and nefarious purposes.

Acts Like You
To fly beneath the radar of modern security defenses, it's not enough just to look like you; your shadow must also act like you.

Combined with a residential proxy service, open source and free scripting tools, such as Puppeteer and Playwright, are applied to mimic human behavior. These types of tools are loved by developers because they provide a way to automate test scripts to do quality assurance (QA) for Web applications. But they are also loved by bot operators because they provide a means to emulate human behavior while leveraging the benefits of automation at scale.

In fact, it is now easy to record testing scripts with a simple Chrome plugin, where the tool records the user's activity and thereby eliminates the need for code to generate scripts. Meanwhile, the open source community has developed its own plugins that provide stealth evasion techniques, including automated and manual CAPTCHA solving, so the benefits of using familiar headless browser automation tools can be applied at scale while acting as human as possible.

Ease of Access
It's easy to gain access to residential proxy networks (and turnkey bot tools that leverage them) from hundreds of options to choose from online. I downloaded one of the free bots, and in just two minutes of running it, I observed:

  • Geographically distributed IP addresses: I found 150 different IP addresses — only one of which issued more than one request. It would take several hours before any IP address was reused.

  • Legitimate-looking user agents: In the next few minutes, roughly 518 unique user agents were generated and used. Most of these agents presented themselves as legitimate, modern devices able to mask their true identity by appearing normal.

The rotation of user agents and proxies creates a nearly unrecognizable, invisible effect to prevent detection.

What You Can Do
Applying security controls that can accurately detect requests that look and act like you can seem like an impossible challenge because you must determine whether it is the human (good) or its evil shadow (bad). Looking at attributes such as IP address, user agents, validated CAPTCHAs, and even machine learning algorithms tuned to identify suspicious behavior yields inconsistent detection and false positives. After all, the last thing you want to do is block your legitimate users.

There are two approaches to ridding yourself of the impact of digital shadows. The first is to better control the availability of such tools and, in some cases, challenge their legality. This seems highly unlikely to work because history has taught us that when there is profit to be made, such tools and services will continue to prevail. They also serve legitimate purposes because developers will always need to test their applications in as realistic an environment as possible.

The second is a fundamentally different approach to detection. In contrast to traditional security controls, new methods don't make decisions based on how a request looks and acts. Instead, they detect the presence of automation. For example, if you can determine how a request presents itself in the context of a legitimate browser or mobile app, you can identify evidence to determine whether it is a human or not.

This is very much analogous to what happened with endpoint security, whereby rules and signatures became ineffective and new ruleless methods were developed to identify vulnerabilities and malware. This paradigm shift is necessary for Web and mobile application security to sustain its effectiveness against modern, evolving automated threats.

Sam Crowther is the founder of Kasada. Sam's passion for the security industry began as a high school student when he worked with the team at Australia's Signals Intelligence Agency. From there, he moved to a red team role at Macquarie Group, an experience that inspired him ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1838
PUBLISHED: 2022-05-24
A vulnerability classified as critical has been found in Home Clean Services Management System 1.0. This affects an unknown part of admin/login.php. The manipulation of the argument username with the input admin%'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(5)))JPeh)/**/AND/**/'frfq%'='frfq l...
CVE-2022-1839
PUBLISHED: 2022-05-24
A vulnerability classified as critical was found in Home Clean Services Management System 1.0. This vulnerability affects the file login.php. The manipulation of the argument email with the input admin%'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq leads to sq...
CVE-2022-1840
PUBLISHED: 2022-05-24
A vulnerability, which was classified as problematic, has been found in Home Clean Services Management System 1.0. This issue affects register.php?link=registerand. The manipulation with the input <script>alert(1)</script> leads to cross site scripting. The attack may be initiated remote...
CVE-2022-26531
PUBLISHED: 2022-05-24
Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG serie...
CVE-2022-26532
PUBLISHED: 2022-05-24
A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmwar...