Genesis market 2020 overview, a bazaar for buying data out of compromised computers.

Alon Gal — Under the Breach
7 min readFeb 3, 2020

--

So how did a group of individuals get their hands on 230,000 computers worldwide in the first place?

Well we first have to understand how a mass virus spreading campaign works (if you’re already familiar with that, you can skip ahead).

Granted, there are many ways one can use to infect someone’s computer but some tactics have proven to be more cost-effective when it comes to mass spreading, I will only cover two of them to keep things shorter:

  1. Traffic + Exploit Kit: Traffic is any stream of users you’re able to get to view your content, whether it is a Medium article, a Tweet or someone who visited your site.
A buyer looking to buy traffic, probably to get computers infected

An Exploit Kit is a set of vulnerabilities that were usually already patched and allow an attacker to remotely execute code (RCE) on a victim’s machine if said victim didn’t update his browser (named 1day) or if the vulnerability is unpatched by anyone yet (named 0day).

Well how does an attacker go about combining these two ingredients?

Let’s say John has a website with over 10,000 daily visitors. if a hacker manages to breach into the Admin panel of John’s website and install his Exploit Kit code, he would essentially be trying to infect the computers of 10,000 people on a daily basis.

Those of them who aren’t very tech savvy and don’t normally update their browsers could get infected simply by viewing the content of John’s website!

2. Mail spreading campaign: a tactic that could either be highly targeted or opportunistically based.

A hacker will get his hands on a list of E-mails, craft an E-mail that is designed to Socially Engineer the recipient into opening it by being interesting enough.

The tricky part is that the hacker has to intrigue the recipient so much that he will not only open the E-mail, he will also open the attached PDF/XLSX/DOC, and not only open it but also run something called “Macro” that enables the hacker to secretly infect the recipient’s computer

If the user clicks “Enable Content” his computer will be infected with a virus

So to get someone to do all these actions is quite hard but when you have an E-mail list with over 100,000,000 emails you’re just playing a statistics game.

After infecting the computer, a hacker will usually run an executable named “stealer” that would grab all of the computer’s saved passwords, cookies, browsing and download history, and important files. I will elaborate more on that soon.

We return the Genesis.

A group of sophisticated hackers team up to sell the data of computers they managed to infect.

The site began operating around the beginning of 2019 and only let users with an invitation code to join (it maintains this exclusivity until today).

To find a person who has invitation codes is not that difficult because each member that spends $20 on the site gets to generate an invitation code.

once you sign up and log in you witness a well oiled stolen credential operation:

I will break it down without going into too much details.

Basically, the site has an insane amount of 230,000 infected computers you can buy the logs from. 20,000 of which are from the USA.

The site operates just like any online clothes shop would only a lot more sinister.

you can filter the results using the following categories:

  1. Country- you can choose which country the displayed computers are from.
  2. Infection date- could be useful because another hacker could hack the same computer via a different campaign and steal his credit card before you.
  3. IP range- you can choose computers which are only within a specific IP range so that if you target a company with a known IP range, you will only get results of computers from that range.
  4. Browsing history- you can choose to only see computers that browsed “Paypal.com” for instance so you know they have an active Paypal account.

I figured the best way to show the capabilities of this website is to just dive in and choose a computer of my liking.

I set the filter to look for people who browsed to “Confluence” (a site that allows employees of a company to share tasks and knowledge among each other) and set the country filter to Israel.

An interesting computer appeared:

As can be seen, it is an Israeli computer that goes for merely $5 and has logins to Linkedin, Twitter, Instagram and more.

Remember how I said I looked for Confluence? well turns out this computer has access to the Confluence of a company named Websense which is now named ForcePoint and owned by Raytheon.

Their slogan- “ transforming Cybersecurity by focusing on understanding people’s intent as they interact with critical data wherever it resides” is what they claim they do.[1]

Well they should first understand people are a weak link and shouldn’t be able to log into critical data of the company via their home computer:

As can be seen, if I paid the $5 this computer costs I would get the credentials to several highly critical services ran by Websense/Forcepoint.

I’m not trying to shame Forcepoint specifically, there are literally hundreds of publicly traded companies whose employees’ computers were infected and are up to sale on Genesis.

As soon as I saw how valuable this computer is and the sensitivity of this issue, I contacted Forcepoint and worked with their incident response team to fix the issue.

They identified the computer that was up for sale and messaged me that they took the proper steps to mitigate the risk!

Forcepoint taking care of the issue!

Anyways, Genesis were also nice enough to tell me in advance that this computer has over 2,000 cookies!

Now cookies are the interesting part.

Let’s say I stole a Facebook E-mail and password and I try to log into that account from my home computer. The second I try to log in, Facebook will notify me that I am trying to log from an IP that wasn’t previously used by the owner of the account and it would lock the account until I am able to get a confirmation code from the account’s E-mail.

Luckily, we have cookies. cookies allow the browser to remember your account so that you won’t have to put your credentials every time you log into a service but it has its disadvantages, a hacker can steal these cookies if he has access to your computer

For example, Facebook has 2 important cookies that authenticate you:

  1. c_user- your user ID
  2. XS- a long string that is basically the “key” for Facebook to remember you

here are my censored Facebook cookies :

When injecting both cookies into a browser, you will immediately be logged into the account without entering a password, you are literally stealing the session of the victim.

Now considering that Israeli computer has over 2,000 cookies and has access to internal services, you can only imagine the damage that can be done to Forcepoint if a hacker were to go on a crusade.

With that being said, most hackers don’t target large organizations because they’re looking to make easy money and selling internal data of a publicly traded company is not an easy thing, so hackers are more likely to look for Cryptocurrencies, credit cards, and bank access of the victims.

Banks are not stupid either, even if you have access to the victim’s online banking account you are facing a sophisticated anti-fraud system that wouldn’t just allow you to drain the victim’s bank account.

Luckily for the hackers, Genesis have been working hard to develop and improve the theft of victim’s fingerprints.

Fingerprint- “data such as screen information, operating system version, browser time zone and installed plugins, cookies, time on site, clicks on site locations, mouse and touchscreen behavior, etc.,”[2]-Sergey Lozhkin

Picture taken from Sergey Lozhkin’s presentation during the Security Analyst Summit of 2019

By stealing the user’s fingerprints along with his cookies and login credentials, even the most advanced banking technologies will have a hard time figuring whether the person who is trying to move money is the client or the hacker!

In conclusion:

Genesis has been running since the beginning of 2019, I still remember them “only” having 10,000 infected computers so the fact they’ve managed to scale their operation to 230,000 computers reveals to me that their service must be very profitable.

This article may seem very dire (it is) but keep in mind that if you regularly update your browser, have an active antivirus software and don’t run suspicious programs, you should be fine!

  • If you enjoyed reading I would really appreciate if you followed me on twitter, I plan on posting more write-ups of all sorts!

Connect with me — https://www.linkedin.com/in/alon-gal-utb/

References:

  1. https://www.forcepoint.com
  2. https://threatpost.com/genesis-marketplace-digital-identities/143558/

--

--

No responses yet