Gabor Gulyas, data privacy and web tracking expert, shows us how fraudsters use browser spoofing to hide on your website.
If you go to the website WhatIsMyBrowser.com, chances are you’ll get fairly accurate results. It will show your IP address, location, and of course, the name of your web browser.
And you may not know it, but most websites perform a similar analysis in order to learn more about their users. This is useful because it can help companies tailor specific services, or detect unusual behaviour (like someone suddenly logging in from another country with another browser).
And of course, it helps us spot fraudsters who want to hide their device configurations. This is mostly done with browser spoofing techniques, and today I’ll show you some examples of how they do it, along with some good detection methods.
Thieves Hiding in the Shadows
Before we go over browser spoofing attack methods, it’s useful to understand why fraudsters perform them. There is identity fraud, of course, where they try to make it look like they are someone else. This is usually to bypass KYC checks of financial companies like payday loans or even crypto exchanges.
There’s also the problem of account takeover, when fraudsters acquire the login details of real users, and try to drain their accounts or mine them for information. And they often need to change their browser and device configurations easily and fast when performing bot attacks.
This also works for multi accounting, when one person creates multiple accounts to abuse bonuses and referral programmes, for instance. If all of the connections looked like they came from the same person, it would be too easy to detect.
Changing the Browser’s User Agent String
Okay, let’s now look at some concrete examples of IP spoofing. The first method fraudsters use could be to modify what’s called the browser’s user agent string.
A browser’s user agent string (UA or UAS) is needed to connect a browser with the website. There are different values and formats for different browsers, but the important thing is that the string must be sent via HTTP for each request header. In simple terms, anytime you click on a website, the UA is checked by the server to ensure communication is possible.
These user agents can tell us quite a lot, including information about the operating system too! For instance, you could find out that you’re dealing with the Google Chrome browser (version 70) from this UAS example:
- Mozilla /5.0 (Windows NT 10.0; Win64; x64)
- AppleWebKit /537.36 (KHTML, like Gecko)
- Chrome /70.0.3538.77
- Safari /537.36
And the good news for wannabe fraudsters is that these strings are easy enough to modify. You can simply download a Chrome extension that lets you change the “look” of your browser. Interestingly, you’ll see that this extension is developed by Google themselves. That’s because it’s a useful developer tool for those who need to test websites seen from different devices.
Once you’ve installed the extension, this is how easy it is to change the string of your browser.
Simply scroll down to, say, the now antique Internet Explorer, and you’re set! Checking whatismybrowser.com will show that you are indeed using Internet Explorer to connect.
Is all user agent spoofing malicious?
Not necessarily! Most developers rely on user agent spoofing to check how websites look from different devices. Some users change theirs for security reasons (for instance when using a VPN), but even certain browsers identify as others. For instance, the default Android web browser identifies itself as Safari to make compatibility easier.
Try it out for yourself! Install the spoofing extension in a Chrome browser and hide yourself as if it was another one. Then, check below if your Chrome browser can be still detected or not:
More Advanced Spoofing Extensions
There are of course other tricks that fraudsters can use to change the way their browsers appear. One of them is the Trace extension, which includes an impressive list of protective features:
While it’s certainly a lot of spoofed parameters, they are not indetectable to the right system. For instance, one that can look at the screen size would understand that it’s smaller than the actual visible part of the browser windows — a strong indicator that something is suspicious. You can also see it in the example below.
The next technology fraudsters can use are privacy-orientated browsers. Tails, which is favoured by darknet users for its built-in access to Tor, is designed to work on an external hard drive so that all the device information can be hidden or manipulated. It even comes with MAC address spoofing, which hides the serial number of your network interface and most of the information that could identify you on a network.
The Future of Spoofing Detection? Google’s Picasso
So how do you detect those who do not want to be detected? Well, one interesting technique is the one designed by the anti-abuse team at Google. Codenamed Picasso, it’s a lightweight tool that works on the following assumption: every device has unique traits that cannot be cloned or simulated, and can, therefore, be identified by how it renders graphics.
If that’s true, then a graphical challenge could be designed to test the device, which is then compared to a genuine result.
The challenges do need to be randomized, which can be costly and take substantial effort and resources to set up. You also need several genuine references to each software and hardware stack combination, relating to the device hardware, operating system and web browser. Moreover, the system needs to be up to date for every combination of these three parameters.
How SEON Detects Browser Spoofing
SEON offers businesses a number of tools designed to detect suspicious browser usage. Our IP Analysis module, for instance, can let you know the ISP, geolocation, open ports and if the address appears as a server or it’s on spam checklists, amongst others.