theDocumentId => 1340766 Your Digital Identity's Evil Shadow

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/29/2021
01:00 PM
Sam Crowther
Sam Crowther
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Your Digital Identity's Evil Shadow

In the wrong hands, these shady shadows are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents.

When digital identity is mentioned, most people think about attributes related to a person, such as login credentials, Social Security numbers, and biometrics. While these are critical aspects of identity theft and online fraud, there's another element that's not as widely recognized. I call it your digital identity's evil shadow. It follows you around wherever you go. It looks like you. It acts like you. Yet its attributes can't be directly traced back to you. This shadow is shady, as it is harvested and used without your knowledge to conduct automated attacks against online businesses.

Looks Like You
Recently, it has been reported that proxy service companies are offering compensation to developers to insert code into a browser extension so that it can route Web traffic on behalf of an unsuspecting user. It essentially acts as a residential proxy where people can remain anonymous — at the expense of others. As a result, the traffic appears as though it is coming from the victim's Internet address and not the actual user.

Related Content:

How the Biden Administration Can Make Digital Identity a Reality

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Other proxy services such as Luminati (now Bright Data) and MonkeySocks also offer residential and commercial proxy services and have similar backdoor ways of harvesting information, such as by inserting their code into virtual private network (VPN) software. Some residential proxy networks even let you purchase IPs for specific countries or historical website visitors to help them blend in with normal traffic.

To be fair, these services do offer legitimate purposes for enterprise companies, such as website testing and fraud protection. But when in the wrong hands, they are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents. There's a high likelihood that your digital identity's evil shadow is unknowingly being harvested and made available for purchase — along with hundreds of millions of others — for both good and nefarious purposes.

Acts Like You
To fly beneath the radar of modern security defenses, it's not enough just to look like you; your shadow must also act like you.

Combined with a residential proxy service, open source and free scripting tools, such as Puppeteer and Playwright, are applied to mimic human behavior. These types of tools are loved by developers because they provide a way to automate test scripts to do quality assurance (QA) for Web applications. But they are also loved by bot operators because they provide a means to emulate human behavior while leveraging the benefits of automation at scale.

In fact, it is now easy to record testing scripts with a simple Chrome plugin, where the tool records the user's activity and thereby eliminates the need for code to generate scripts. Meanwhile, the open source community has developed its own plugins that provide stealth evasion techniques, including automated and manual CAPTCHA solving, so the benefits of using familiar headless browser automation tools can be applied at scale while acting as human as possible.

Ease of Access
It's easy to gain access to residential proxy networks (and turnkey bot tools that leverage them) from hundreds of options to choose from online. I downloaded one of the free bots, and in just two minutes of running it, I observed:

  • Geographically distributed IP addresses: I found 150 different IP addresses — only one of which issued more than one request. It would take several hours before any IP address was reused.

  • Legitimate-looking user agents: In the next few minutes, roughly 518 unique user agents were generated and used. Most of these agents presented themselves as legitimate, modern devices able to mask their true identity by appearing normal.

The rotation of user agents and proxies creates a nearly unrecognizable, invisible effect to prevent detection.

What You Can Do
Applying security controls that can accurately detect requests that look and act like you can seem like an impossible challenge because you must determine whether it is the human (good) or its evil shadow (bad). Looking at attributes such as IP address, user agents, validated CAPTCHAs, and even machine learning algorithms tuned to identify suspicious behavior yields inconsistent detection and false positives. After all, the last thing you want to do is block your legitimate users.

There are two approaches to ridding yourself of the impact of digital shadows. The first is to better control the availability of such tools and, in some cases, challenge their legality. This seems highly unlikely to work because history has taught us that when there is profit to be made, such tools and services will continue to prevail. They also serve legitimate purposes because developers will always need to test their applications in as realistic an environment as possible.

The second is a fundamentally different approach to detection. In contrast to traditional security controls, new methods don't make decisions based on how a request looks and acts. Instead, they detect the presence of automation. For example, if you can determine how a request presents itself in the context of a legitimate browser or mobile app, you can identify evidence to determine whether it is a human or not.

This is very much analogous to what happened with endpoint security, whereby rules and signatures became ineffective and new ruleless methods were developed to identify vulnerabilities and malware. This paradigm shift is necessary for Web and mobile application security to sustain its effectiveness against modern, evolving automated threats.

Sam Crowther is the founder of Kasada. Sam's passion for the security industry began as a high school student when he worked with the team at Australia's Signals Intelligence Agency. From there, he moved to a red team role at Macquarie Group, an experience that inspired him ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.