Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/29/2021
01:00 PM
Sam Crowther
Sam Crowther
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Your Digital Identity's Evil Shadow

In the wrong hands, these shady shadows are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents.

When digital identity is mentioned, most people think about attributes related to a person, such as login credentials, Social Security numbers, and biometrics. While these are critical aspects of identity theft and online fraud, there's another element that's not as widely recognized. I call it your digital identity's evil shadow. It follows you around wherever you go. It looks like you. It acts like you. Yet its attributes can't be directly traced back to you. This shadow is shady, as it is harvested and used without your knowledge to conduct automated attacks against online businesses.

Looks Like You
Recently, it has been reported that proxy service companies are offering compensation to developers to insert code into a browser extension so that it can route Web traffic on behalf of an unsuspecting user. It essentially acts as a residential proxy where people can remain anonymous — at the expense of others. As a result, the traffic appears as though it is coming from the victim's Internet address and not the actual user.

Related Content:

How the Biden Administration Can Make Digital Identity a Reality

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Other proxy services such as Luminati (now Bright Data) and MonkeySocks also offer residential and commercial proxy services and have similar backdoor ways of harvesting information, such as by inserting their code into virtual private network (VPN) software. Some residential proxy networks even let you purchase IPs for specific countries or historical website visitors to help them blend in with normal traffic.

To be fair, these services do offer legitimate purposes for enterprise companies, such as website testing and fraud protection. But when in the wrong hands, they are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents. There's a high likelihood that your digital identity's evil shadow is unknowingly being harvested and made available for purchase — along with hundreds of millions of others — for both good and nefarious purposes.

Acts Like You
To fly beneath the radar of modern security defenses, it's not enough just to look like you; your shadow must also act like you.

Combined with a residential proxy service, open source and free scripting tools, such as Puppeteer and Playwright, are applied to mimic human behavior. These types of tools are loved by developers because they provide a way to automate test scripts to do quality assurance (QA) for Web applications. But they are also loved by bot operators because they provide a means to emulate human behavior while leveraging the benefits of automation at scale.

In fact, it is now easy to record testing scripts with a simple Chrome plugin, where the tool records the user's activity and thereby eliminates the need for code to generate scripts. Meanwhile, the open source community has developed its own plugins that provide stealth evasion techniques, including automated and manual CAPTCHA solving, so the benefits of using familiar headless browser automation tools can be applied at scale while acting as human as possible.

Ease of Access
It's easy to gain access to residential proxy networks (and turnkey bot tools that leverage them) from hundreds of options to choose from online. I downloaded one of the free bots, and in just two minutes of running it, I observed:

  • Geographically distributed IP addresses: I found 150 different IP addresses — only one of which issued more than one request. It would take several hours before any IP address was reused.

  • Legitimate-looking user agents: In the next few minutes, roughly 518 unique user agents were generated and used. Most of these agents presented themselves as legitimate, modern devices able to mask their true identity by appearing normal.

The rotation of user agents and proxies creates a nearly unrecognizable, invisible effect to prevent detection.

What You Can Do
Applying security controls that can accurately detect requests that look and act like you can seem like an impossible challenge because you must determine whether it is the human (good) or its evil shadow (bad). Looking at attributes such as IP address, user agents, validated CAPTCHAs, and even machine learning algorithms tuned to identify suspicious behavior yields inconsistent detection and false positives. After all, the last thing you want to do is block your legitimate users.

There are two approaches to ridding yourself of the impact of digital shadows. The first is to better control the availability of such tools and, in some cases, challenge their legality. This seems highly unlikely to work because history has taught us that when there is profit to be made, such tools and services will continue to prevail. They also serve legitimate purposes because developers will always need to test their applications in as realistic an environment as possible.

The second is a fundamentally different approach to detection. In contrast to traditional security controls, new methods don't make decisions based on how a request looks and acts. Instead, they detect the presence of automation. For example, if you can determine how a request presents itself in the context of a legitimate browser or mobile app, you can identify evidence to determine whether it is a human or not.

This is very much analogous to what happened with endpoint security, whereby rules and signatures became ineffective and new ruleless methods were developed to identify vulnerabilities and malware. This paradigm shift is necessary for Web and mobile application security to sustain its effectiveness against modern, evolving automated threats.

Sam Crowther is the founder of Kasada. Sam's passion for the security industry began as a high school student when he worked with the team at Australia's Signals Intelligence Agency. From there, he moved to a red team role at Macquarie Group, an experience that inspired him ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24288
PUBLISHED: 2021-05-17
When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
CVE-2021-24289
PUBLISHED: 2021-05-17
There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
CVE-2021-24290
PUBLISHED: 2021-05-17
There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.
CVE-2021-24292
PUBLISHED: 2021-05-17
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The â€&oe...
CVE-2021-24295
PUBLISHED: 2021-05-17
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via...