Threats Without Borders - Issue 172
Cybercrime Investigation Newsletter, Week ending March 3, 2024
A web artifact that often causes head-shaking confusion is browser fingerprinting, a method websites use to uniquely identify and track users based on various attributes of their web browser and device.
Browser fingerprinting involves collecting information from users' web browsers to create a unique identifier, or "fingerprint," for each user. This information includes user-agent strings, default language settings, screen resolutions, browser plugins, HTTP headers, and more. Combining these attributes and hashing them generates a distinct fingerprint value, allowing websites to differentiate one browser instance from another.
The user-agent string plays a crucial role among the various attributes collected during browser fingerprinting and renders something like this – {Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15}
Browser developers such as Safari, Chrome, and Firefox have taken steps to protect against detailed fingerprinting. These measures include removing specific details from the user-agent header while keeping it mostly unchanged. By reducing the data available in the user-agent header, browsers hope to make it less reliable for identification purposes.
Why does every user-agent string include Mozilla regardless of the user’s web browser? This phenomenon can be traced back to historical reasons and the evolution of web standards. Initially, "Mozilla" in the user-agent string aimed to ensure compatibility between new and old browsers. This practice originated during the dominance of Netscape Navigator, which prominently featured "Mozilla" in its name. As new browsers emerged, they continued to include "Mozilla" in their user-agent strings to maintain compatibility with websites relying on this identifier.
Browser fingerprinting plays a vital role in online security and investigations. By identifying website visitors exhibiting patterns of fraudulent behavior, browser fingerprinting enables targeted security measures without relying solely on IP addresses and site cookies. Fraudsters often employ identity-concealing techniques such as disabling cookies, using VPNs, or browsing in incognito mode. In such scenarios, browser fingerprinting proves invaluable, swiftly identifying users based on their unique browser configurations.
Browser fingerprinting techniques are not always accurate and can produce errors, particularly in the user-agent string, due to several reasons:
User-Agent Spoofing: Users can modify or spoof their user-agent strings using browser extensions or custom configurations. This intentional manipulation can lead to inaccuracies in fingerprinting, as the user-agent string no longer accurately represents the browser and device.
Browser Customization: Many browsers allow users to customize their user-agent strings or install plugins/extensions that alter them. These customizations can vary widely and may result in unique user-agent strings that deviate from typical patterns, making fingerprinting less reliable.
Browser Updates: Manufacturers frequently release updates that may change the structure or content of user-agent strings. As a result, fingerprinting techniques relying solely on static user-agent patterns may need to be updated and more effective over time.
This is the User-Agent string being pulled from my browser session using the Brave browser on an Apple Macbook Air (2020 M1) running MacOS 14.0.
{Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0}
There are a few noticeable issues with the fingerprinting results. Firstly, it cannot identify the Apple Silicon ARM chip and instead identifies it as an Intel chip. Secondly, it recognizes the operating system as an OSX variant rather than the newer MacOS. Lastly, although Brave and Chrome are both variants of the open-source web browser Chromium, the fingerprinting tool fails to differentiate between the two and defaults to Chrome.
How about if I try a less privacy-focused browser like Edge?
{Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0}
Well, that made it even worse.
What’s the point, Matt?????
The browser fingerprint, including the User-Agent String, may or may not be helpful in your investigation. Still, you should collect it as you never know what will be necessary as the investigation evolves. Additionally, it's essential to understand the concept, especially when explaining it to a defense attorney attempting to block you from being considered an expert witness.
Some News…
These Pennsylvania men have been accused of being couriers in a computer support fraud scheme that resulted in central Pennsylvania residents paying at least $316,300. The duo presented themselves as federal agents. How did they react when they met the real federal agents? https://www.pennlive.com/crime/2024/02/two-central-pa-men-accused-of-being-couriers-in-computer-hacking-scheme.html
Attackers have compromised over 8,000 subdomains from well-known brands and institutions to launch a massive phishing campaign that sends millions of malicious emails every day. https://www.darkreading.com/application-security/ebay-vmware-mcafee-sites-hijacked-sprawling-phishing-operation
Researchers from cybersecurity firm Apiiro have identified over 100,000 infected Github repositories. What happens if you include the infected code into your application project? The article explains, “The malicious code (largely a modified version of BlackCap-Grabber) would then collect login credentials from different apps, browser passwords and cookies, and other confidential data. It then sends it back to the malicious actors’ C&C (command-and-control) server and performs a long series of additional malicious activities.”. Yeah, that doesn’t sound good. https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack/
First Kali Linux release of 2024. https://www.kali.org/blog/kali-linux-2024-1-release/
Five New York men were arrested for widespread ATM skimming attacks that spanned from May 2022 through February 2023. The group used the skimmed credentials to create counterfeit debit cards and pull money from the accounts of over 600 victims. Unfortunately, one of the defendants is named Elvis. https://www.justice.gov/usao-edny/pr/five-defendants-arrested-engaging-sophisticated-atm-skimming-schemes-involving-theft
I still feel the excitement of my first trip to a Golden Corral. Gluttony troughs are common place now, but were a true rarity in the mid-1980’s. The awe… the splendor... the ice cream machine! Anyways, it seems the company isn’t very good at data security and has lost the personal identifying information of over 180,000 current and former employees. https://www.securityweek.com/data-breach-at-golden-corral-impacts-180000-employees/
Cool Job
Assistant Director of Enforcement, Investigations and Processing - NCAA. https://recruiting.ultipro.com/NCA1000NCAA/JobBoard/66281147-2f31-4223-8d47-ae55c7eed635/OpportunityDetail?opportunityId=7e82413b-9b1f-4322-bde4-6e33fc40884d
Cool Tool
See who supports who in state politics: https://www.transparencyusa.org/
Irrelevant
Stop being so awkward and talk. https://hbr.org/2024/02/how-to-make-small-talk-with-anyone-from-anywhere
Really Irrelevant
Well, I guess we need someone to investigate this now. Fish Fraud. https://www.delish.com/kitchen-tools/a60045540/what-is-fish-fraud/
Thank you for being a reader.
Matt
“THE ONLY TRUE WISDOM IS KNOWING YOU KNOW NOTHING.” - I’m the most wise because I know nothing.
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.