One of the most important online criminal sites, Genesis Market, was taken down on Tuesday in an FBI-led investigation involving more than a dozen international partners. Genesis has been connected to millions of financially driven cyber incidents worldwide, from fraud to ransomware attacks. Genesis served as a one-stop shop for thieves, selling stolen credentials and the tools to weaponize that data.
The login pages of Genesis Market’s websites have been changed to a splash page announcing the takedown, titled Operation Cookie Monster. The organization maintained websites on both the conventional and the dark web. The Record is aware that numerous arrests have been made worldwide.
They claimed Genesis Market stood out from other credential markets like Russian Market or 2easy Shop. In contrast to its rivals, Genesis Market offered hackers access to “bots” or “browser fingerprints” that enabled them to impersonate victims’ online browsers. These fingerprints included IP addresses, session cookies, operating system details, and plugins.
These fingerprints allowed the thieves to access online banking services and subscription services like Netflix and Amazon without being met with security alerts, as Leslie put it: “What’s Joe doing checking in from India?” Even users could defeat two-factor authentication. The fingerprints on Genesis Store are different because they mimic the victim’s browser session and get around these “flags” by making themselves look to the victim to be indistinguishable from the actual user, according to Leslie.
Leslie highlighted that, unlike its rivals, Genesis Market did not contain a list of third-party sellers, such as the RedLine, Vidar, Raccoon, or META info stealers featured on Russian Market, explaining that the majority of the data included in the “bots” were acquired by info stealer malware.
Listed On The Genesis Market Are Bots
Once acquired, the “bots” could be added to the criminals’ Genesis Security browser, which was also made available as an add-on for other web browsers. Using the stolen credentials, the bots allowed thieves to pose as legitimate users.
Lists of the services that fingerprints had access to, which frequently included Netflix, Amazon, Facebook, and eBay accounts, showed next to them. Also, bots could contain login information for services like employee networks that weren’t automatically listed in the listings.
Location, IP address, browser information, etc., all match. If you install the Genesis Store browser extension, you can import the victim’s bot to force the browser to reset and take on their “identity.” According to Leslie, this identity is comparable to, if not the same, the actual use of online services.
Although Genesis Market was an invite-only website, it could still be found using standard web search engines. Invite codes were easily accessible, appearing on YouTube videos as with most large-scale criminal forums.
Although Leslie claimed that the Recorded Future platform displayed over 135 million individual bot listings since 2018, the number of Genesis Market victims is unknown.
According to Leslie, “Gemini Store may have had between 30 and 50 million active listings across its history based on the current number of active listings, measured against a sample size of the entire number of platform references over the past month (1.3 million).”
While Genesis Store does not disclose historical information, he stated that the number was simply an estimate and that “the real number may be far higher.”
The criminal service, which served as a one-stop shop for fraud, was designed with a low barrier to entry in mind. To commercialize the hoax, Genesis even produced a Wiki outlining how it operated for prospective users.
According to Leslie, “this suggests that the Genesis Store administration is in control of the infostealer’ botnet,'” which means the criminals who ran the Genesis Store also had “command-and-control for all of its listings and have constant access to infected PCs.”
That contributed to the success of the Genesis Store, in part. The ‘bot’ is regularly updated or kept ‘fresh’ due to this ongoing communication with the infected machine, which keeps the fingerprint as current as possible.
How to Protect Accounts After Genesis Market Leak
If your social media activity is suspect, Genesis Market may have sold your data. After you’ve made sure your computer isn’t in someone else’s hands, safeguard your accounts:
- Change your passwords everywhere. Secure the password. That you never use for other websites. Password managers can come up with strong passwords for you.
- If the platform allows, log out additional users and devices. Facebook will enable you to log out of gadgets. Choose “Settings” and “Security and login” on the left. This shows all your account-linked devices. After changing your password, you can log out of all or just one.
- Get two-factor authentication. Sign up for two-factor authentication (2FA) whenever possible. Two-factor authentication requires a code sent to your phone to access your online account. Gmail and Facebook now offer this extra security for account logins.
- Check company updates. With a big data breach, the organization will likely post updates and disclose which customers were affected. During a recent Facebook data breach, the firm instantly logged out affected users and sent them platform messages explaining what happened and what to do.
Conclusion
Police seized Genesis Market, one of the greatest cyber fraud platforms. On Tuesday, the FBI and more than a dozen international partners seized Genesis Market, one of the largest online criminal enterprises. Genesis, a one-stop shop for criminals selling stolen credentials and the means to weaponize them, has been linked to millions of financially driven cyber events worldwide, from fraud to ransomware assaults. Genesis Market’s login pages now display Operation Cookie Monster’s takedown. The organization has dark and conventional websites.
They said Genesis Market was unique among credential marketplaces like Russian Market and 2easy Shop. Unlike its competitors, Genesis Market gave thieves “bots” or “browser fingerprints” to imitate victims’ online browsers, including IP addresses, session cookies, operating system information, and plugins. These fingerprints allowed crooks to access Netflix, Amazon, and online banking without security warnings: “What’s Joe doing checking in from India?” Leslie said.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.