Fingerprint Heists: How Your Browser Fingerprint Can Be Stolen and Used by Fraudsters
Summary:
Security firm Group-IB has uncovered details of a campaign dubbed “ScreamedJungle,” which is using stolen browser fingerprints to impersonate legitimate users and bypass defenses. Browser fingerprinting is a technique that identifies an user based on unique characteristics like installed fonts, screen resolution, graphic card details, etc. By mimicking these fingerprints, actors are able to bypass protections in place such as multi-factor authentication and device reputation checks. The latest campaign uncovered by Group-IB takes advantage of unpatched vulnerabilities in Magento e-commerce platforms to inject malicious scripts designed to harvest unique digital identifiers from visitors. Notably, vulnerabilities such as CVE-2024-34102 and CVE-2024-20720 have been exploited to inject a malicious JavaScript payload into compromised websites. This payload is capable of collecting over 50 parameters from desktop users, including system fonts, GPU data, and keyboard layout, which is further sent to a C2 server controlled by the actors and stored in a private database.
Security Officer Comments:
Researchers have found that the private database is connected to Bablosoft’s FingerprintSwitcher module, a tool that enables attackers to generate or alternate between various sets of unique digital identifiers. This functionality makes it easier for them to disguise automated attacks as legitimate user activity. Since May 2024, the ScreamedJungle campaign has collected millions of fingerprints. By storing a vast database of these identifiers, the attackers can seamlessly switch between them, impersonating a diverse range of users and devices. This capability ultimately allows the threat actors to operate undetected, facilitating malicious activities such as unauthorized account access, fraudulent transactions, and data scraping from websites.
Suggested Corrections:
For website owners:
https://www.group-ib.com/blog/fingerprint-heists/
Security firm Group-IB has uncovered details of a campaign dubbed “ScreamedJungle,” which is using stolen browser fingerprints to impersonate legitimate users and bypass defenses. Browser fingerprinting is a technique that identifies an user based on unique characteristics like installed fonts, screen resolution, graphic card details, etc. By mimicking these fingerprints, actors are able to bypass protections in place such as multi-factor authentication and device reputation checks. The latest campaign uncovered by Group-IB takes advantage of unpatched vulnerabilities in Magento e-commerce platforms to inject malicious scripts designed to harvest unique digital identifiers from visitors. Notably, vulnerabilities such as CVE-2024-34102 and CVE-2024-20720 have been exploited to inject a malicious JavaScript payload into compromised websites. This payload is capable of collecting over 50 parameters from desktop users, including system fonts, GPU data, and keyboard layout, which is further sent to a C2 server controlled by the actors and stored in a private database.
Security Officer Comments:
Researchers have found that the private database is connected to Bablosoft’s FingerprintSwitcher module, a tool that enables attackers to generate or alternate between various sets of unique digital identifiers. This functionality makes it easier for them to disguise automated attacks as legitimate user activity. Since May 2024, the ScreamedJungle campaign has collected millions of fingerprints. By storing a vast database of these identifiers, the attackers can seamlessly switch between them, impersonating a diverse range of users and devices. This capability ultimately allows the threat actors to operate undetected, facilitating malicious activities such as unauthorized account access, fraudulent transactions, and data scraping from websites.
Suggested Corrections:
For website owners:
- Regularly conduct a website analysis to evaluate its integrity and eliminate any potential persistence mechanisms or malicious files;
- Keep systems up-to-date and always install relevant security patches;
- Use complex passwords and adopt two-factor authentication;
- Monitor accesses of privileged accounts;
- Performs security audits (e.g., vulnerability assessments, penetration tests) periodically in order to identify the presence of any vulnerabilities that could lead to website compromise;
- Use privacy-oriented browsers that implement additional protection measures to block suspicious fingerprint scripts;
- Use trusted and reliable browser extensions aimed at blocking the execution of suspicious javascript and detection of tracking techniques;
- Identify changes in known user environment, i.e. change of operating system and metadata;
- Subscribe for intelligence services (i.e. threat intelligence, fraud intelligence) to be updated with evolving fraud schemes and technologies
- Use Multi-Factor Authentication (MFA) for authentication processes or sensitive user activity, i.e. for password changing.
https://www.group-ib.com/blog/fingerprint-heists/