“Combo lists” of usernames and passwords leaked in data breaches are widely available on the darknet and increasingly on the clear net. But the Genesis Market does something different. Each “bot” for sale on this underground market is data that has been exfiltrated from a compromised PC. These aren’t old passwords sitting on a list in plain text that may or may not work, but thousands of users “ready hacked.”
While the market has been around for a while, increased activity in the space means businesses should take a moment to understand what the market is and how they can protect against the hackers that supply the website with stolen data. Since the start of the pandemic, the Genesis Market has expanded its product portfolio—offering more lucrative credentials and attracting the attention of a more dangerous customer base — larger cybercriminal organizations rather than amateur hackers.
The availability of ready-hacked accounts through the Genesis Market, and others like it, means that businesses cannot trust that their customers are who they say they are.
Also Read: The Changing Landscape of Digital Identity
A Little Background on the Genesis Market
Founded in 2018, the Genesis Market has been described as the Amazon of stolen credentials. It specializes solely in the sale of “bots.” However, these bots are unlike the generally accepted use of the term bots—those for sale on the Genesis Market are data from compromised devices: digital ‘fingerprints,’ cookies, saved logins, and autofill form data – everything you need to assume the stolen digital identity. That data is packaged up and put for sale on the Genesis Market.
What makes the Genesis Market unique is that it sits on the clear web, unlike other illegal marketplaces hidden on the dark web—think of the infamous Silk Road. Anyone can visit genesis market. However, you are met with no information, simply a login page. As an invite-only marketplace, it is a little hidden from law enforcement and security researchers.
While it remains relatively free of prying eyes, we’ve been able to gain access and see the scale of this e-commerce site—and the potential damage it can cause. The Genesis Market is an Aladdin’s cave of criminally obtained data, growing every minute with hundreds of new stolen digital identities added daily. 100,000 were available in April 2019, rising to over 350,000 in March 2021. The level of access granted to buyers of these bots is staggering. Almost anything accessed digitally by victims of these bots can be accessed by Genesis Market customers: logins to online services, autofill information such as addresses, and even bank details.
How has the Market Evolved?
The market has, over time, expanded its offerings; previously, it primarily sold access to streaming services, but more lucrative credentials have recently become more available. Bank accounts and PayPal logins are in demand and sold at a premium—the cost of streaming credentials is around a few dollars but rises dramatically for the bank details that have been flooding into the marketplace.
The increase in available bank details is almost certainly linked to the increase in online banking following the pandemic. An influx of newcomers to digital banking meant there were some easy targets for the Genesis Market, as some consumers inevitably failed to follow best security practices.
The rise in activity is likely linked to an increase in ransomware attacks. The Genesis Market can operate as an initial access broker, supplying ransomware organizations with compromised accounts—there’s no need to fool employees with phishing if you can simply buy someone’s work login. The Genesis Market has been linked to several recent cyber-attacks, including a breach of Electronic Arts where sensitive data, including the source code for the game FIFA 21, was stolen.
How can Organizations Protect Against Account Theft?
Companies dealing with this issue often describe it like holding a gun at two clones, unable to separate the original from the imposter.
Until it is reported, it’s difficult for an organization to know when their users’ credentials have been stolen, and if they take actions into their own hands, they risk blocking users that have not been compromised and damaging the customer relationship. Password reuse is so common that any leak of credentials means a greater risk of account theft. If promoting good password hygiene and avoiding phishing scams aren’t getting through to consumers, how can organizations protect themselves?
One way is AI and behavior tracking. Those organizations with this technology, mostly banks, can often alert their users to any activity which is out of the ordinary. For many, this is too expensive, meaning they rely on their users to alert them to any suspicious behavior. For these businesses, the best form of protection is communication with their customers. By encouraging users to report this behavior and by making it easy to do so, stolen credentials can be identified, and both the business and customers protected.
There has been some resistance to multi-factor authentication as it increases friction, but it is one of the best ways in which an organization can protect against account theft. It’s not a foolproof solution but requires sophisticated man-in-the-middle tools or social engineering to get around. Hackers are lazy and will look for the easiest way to compromise credentials. A little friction is enough to put off most of them.
Businesses should also be taking a close look at their automated traffic. Most compromises use automatic means to uncover credentials that can be reused and to check the validity of leaks. The Genesis Market shows that hackers are keen to profit from these hacks and want to offer a user experience similar to the biggest e-commerce sites—expanding their business with more customers, more sales, and an increasing supply of compromised “bots.” Monitoring and understanding automated traffic will give businesses a better insight into who is trying to subvert their customers’ accounts and how they can stop it.