Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/29/2021
01:00 PM
Sam Crowther
Sam Crowther
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Your Digital Identity's Evil Shadow

In the wrong hands, these shady shadows are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents.

When digital identity is mentioned, most people think about attributes related to a person, such as login credentials, Social Security numbers, and biometrics. While these are critical aspects of identity theft and online fraud, there's another element that's not as widely recognized. I call it your digital identity's evil shadow. It follows you around wherever you go. It looks like you. It acts like you. Yet its attributes can't be directly traced back to you. This shadow is shady, as it is harvested and used without your knowledge to conduct automated attacks against online businesses.

Looks Like You
Recently, it has been reported that proxy service companies are offering compensation to developers to insert code into a browser extension so that it can route Web traffic on behalf of an unsuspecting user. It essentially acts as a residential proxy where people can remain anonymous — at the expense of others. As a result, the traffic appears as though it is coming from the victim's Internet address and not the actual user.

Related Content:

How the Biden Administration Can Make Digital Identity a Reality

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Other proxy services such as Luminati (now Bright Data) and MonkeySocks also offer residential and commercial proxy services and have similar backdoor ways of harvesting information, such as by inserting their code into virtual private network (VPN) software. Some residential proxy networks even let you purchase IPs for specific countries or historical website visitors to help them blend in with normal traffic.

To be fair, these services do offer legitimate purposes for enterprise companies, such as website testing and fraud protection. But when in the wrong hands, they are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents. There's a high likelihood that your digital identity's evil shadow is unknowingly being harvested and made available for purchase — along with hundreds of millions of others — for both good and nefarious purposes.

Acts Like You
To fly beneath the radar of modern security defenses, it's not enough just to look like you; your shadow must also act like you.

Combined with a residential proxy service, open source and free scripting tools, such as Puppeteer and Playwright, are applied to mimic human behavior. These types of tools are loved by developers because they provide a way to automate test scripts to do quality assurance (QA) for Web applications. But they are also loved by bot operators because they provide a means to emulate human behavior while leveraging the benefits of automation at scale.

In fact, it is now easy to record testing scripts with a simple Chrome plugin, where the tool records the user's activity and thereby eliminates the need for code to generate scripts. Meanwhile, the open source community has developed its own plugins that provide stealth evasion techniques, including automated and manual CAPTCHA solving, so the benefits of using familiar headless browser automation tools can be applied at scale while acting as human as possible.

Ease of Access
It's easy to gain access to residential proxy networks (and turnkey bot tools that leverage them) from hundreds of options to choose from online. I downloaded one of the free bots, and in just two minutes of running it, I observed:

  • Geographically distributed IP addresses: I found 150 different IP addresses — only one of which issued more than one request. It would take several hours before any IP address was reused.

  • Legitimate-looking user agents: In the next few minutes, roughly 518 unique user agents were generated and used. Most of these agents presented themselves as legitimate, modern devices able to mask their true identity by appearing normal.

The rotation of user agents and proxies creates a nearly unrecognizable, invisible effect to prevent detection.

What You Can Do
Applying security controls that can accurately detect requests that look and act like you can seem like an impossible challenge because you must determine whether it is the human (good) or its evil shadow (bad). Looking at attributes such as IP address, user agents, validated CAPTCHAs, and even machine learning algorithms tuned to identify suspicious behavior yields inconsistent detection and false positives. After all, the last thing you want to do is block your legitimate users.

There are two approaches to ridding yourself of the impact of digital shadows. The first is to better control the availability of such tools and, in some cases, challenge their legality. This seems highly unlikely to work because history has taught us that when there is profit to be made, such tools and services will continue to prevail. They also serve legitimate purposes because developers will always need to test their applications in as realistic an environment as possible.

The second is a fundamentally different approach to detection. In contrast to traditional security controls, new methods don't make decisions based on how a request looks and acts. Instead, they detect the presence of automation. For example, if you can determine how a request presents itself in the context of a legitimate browser or mobile app, you can identify evidence to determine whether it is a human or not.

This is very much analogous to what happened with endpoint security, whereby rules and signatures became ineffective and new ruleless methods were developed to identify vulnerabilities and malware. This paradigm shift is necessary for Web and mobile application security to sustain its effectiveness against modern, evolving automated threats.

Sam Crowther is the founder of Kasada. Sam's passion for the security industry began as a high school student when he worked with the team at Australia's Signals Intelligence Agency. From there, he moved to a red team role at Macquarie Group, an experience that inspired him ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15279
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
CVE-2021-3423
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."