3 Examples of Browser Spoofing:  How it Works & Use it to Detect Fraud

3 Examples of Browser Spoofing: How it Works & Use it to Detect Fraud

Author avatar

by Gabor Gulyas

Gabor Gulyas, a data privacy and web tracking expert, shows us how fraudsters use browser spoofing to hide on your website.

If you go to the website WhatIsMyBrowser.com, chances are you’ll get fairly accurate results. It will show your IP address, location, and of course, the name of your web browser. 

You may not know it, but most websites perform a similar analysis in order to learn more about their users. This is useful because it can help companies tailor specific services, or detect unusual behavior (like someone suddenly logging in from another country with another device).

And of course, it helps us spot fraudsters who want to hide their device configurations. This is mostly done with browser spoofing techniques, and today I’ll show you some examples of how they do it, along with some good detection methods. 

What is Browser Spoofing?

Cybercriminals use browser spoofing to disguise themselves some form of entity (business, person, or service) to steal information from an unsuspecting person.

Often combined with social engineering, the aim of spoofing is to use gain access to systems, steal data, steal money, or spread malware that can be then used in fraudulent activities or to simply access a victim’s assets.

This is usually to bypass KYC checks of financial companies like payday loans or engage with account takeover attacks and multi-accounting.

How Browser Spoofing Works

Browsing spoofing can take place across a range of channels but it all revolves around fooling the victim into believing what they are seeing is in fact genuine. As mentioned, this is usually coupled with some form of social engineering to lure the victim into a false sense of security.

Error such as mispelling, missing images and forced urgency can be signs of a spoof attack.

3 Examples of Browser Spoofing

Email Spoofing

Fraudsters set up fake email addresses that look similar to one that a victim might recognize (family, friends, work colleagues etc) to with a scheme in place to either scrap information or infect your computer via a link or demand money.

Website Spoofing 

Sometimes coupled with email stuffing, fraudsters create a malicious website that looks similar to a trusted site that will look to lead the victim into giving personal information or worse, bank details.

IP Spoofing

IP packets are created by the criminal with a modified source address which allows them to impersonate another persons computer and/or their internet system. This is used by fraudster to cause DDoS attacks which looks to overwhemler a users network.

How Do I Change My Browser Agent On Chrome?

Okay, let’s now look at some concrete examples of how to change an IP address The first method used could be to modify what’s called the browser’s user agent string.

A browser’s user agent string (UA or UAS) is needed to connect a browser with the website. There are different values and formats for different browsers, but the important thing is that the string must be sent via HTTP for each request header.

In simple terms, anytime you click on a website, the UA is checked by the server to ensure communication is possible. These user agents can tell us quite a lot, including information about the OS too.

For instance, you could find out that you’re dealing with the Google Chrome browser (version 70) from this UAS example:

  • Mozilla /5.0 (Windows NT 10.0; Win64; x64)
  • AppleWebKit /537.36 (KHTML, like Gecko)
  • Chrome /70.0.3538.77
  • Safari /537.36 

How to use Chrome UA Spoofer?

You can use a Chrome UA Spoofer in the form of a Chrome extension that lets you change the “look” of your browser.

Interestingly, you’ll see that this extension is developed by Google themselves. That’s because it’s a useful developer tool for those who need to test websites seen from different devices.

Once you’ve installed the extension, this is how easy it is to spoof the string of your browser with a quick one-feature app.

google chrome extension for browser spoofing

Simply search and scroll down to, say, the now antique Internet Explorer, and you’re set! Checking whatismybrowser.com will show that you are indeed using Internet Explorer to connect.

Is User Agent Spoofing Malicious?

Most developers rely on it to check how websites look from different devices. Some users change theirs for security reasons (for instance when using a VPN), but even certain browsers identify as others. For instance, the default Android web browser identifies itself as Safari to make compatibility easier. 

Try it out for yourself! Install the extension in a Chrome browser and hide yourself as if it was another one. Then, check below if your Chrome browser can be still detected or not:

Other Advanced Spoofing Extensions

There are other tricks that fraudsters can use to change the way their browsers appear with a range of alternative extensions available at their disposal to attack your business.

One of them is the Trace extension, which includes an impressive list of protective features:

Spoofing Extensions with only Main Protection
Spoofing Extensions with only Advanced Protection

While it’s certainly a lot of spoofed parameters, they are not indetectable to the right system. For instance, one that can look at the screen size would understand that it’s smaller than the actual visible part of the windows — a strong indicator that something is suspicious. You can also see it in the example below.

browserleaks.com javascript browser information - screen resolution

The next technology fraudsters can use are privacy-orientated browsers. Tails, which is favored by darknet users for its built-in access to Tor, is designed to work on an external hard drive so that all the information can be hidden or manipulated. It even comes with MAC address spoofing, which hides the serial number of your network interface and most of the information that could identify you on a network. 


What Is The Future Of Browser Spoofing Detection?

One interesting technique is the one designed by the anti-abuse team at Google. Codenamed Picasso, it’s a lightweight tool that works on the following assumption: every device has unique traits that cannot be cloned or simulated, and can, therefore, be identified by how it renders graphics.

If that’s true, then a graphical challenge could be designed to test the device, which is then compared to a genuine result.

picasso setup

The challenges do need to be randomized, which can be costly and take substantial effort and resources to set up. You also need several genuine references to each software and hardware stack combination, relating to the device hardware, OS and web browser. Moreover, the system needs to be up to date for every combination of these three parameters.

browser differences

How SEON Detects Browser Spoofing

SEON offers businesses a number of tools designed to detect suspicious usage. Our IP Analysis module, for instance, can let you know a range of parameters including:

  • ISP
  • Geolocation
  • IP Type
  • Open ports
  • Spam checklists
  • Browser and proxy information
  • VPN usage

With SEON, we are working together on their browser fingerprinting tool, which can be integrated into web and mobile apps via JavaScript. This nifty code can reveal hundreds of data points about the combinations of software and hardware of users, which can then be fed through risk rules to calculate how suspicious a connection is.

For more information about IP analysis, or Device Fingerprinting, don’t hesitate to contact SEON today!

Try a Fraud Product Demo

You might also be interested in reading about:

Learn more about:

Data Enrichment | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API | Machine Learning Fraud

Share article

Learn more about our products


Author avatar
Gabor Gulyas
Expert on Data Protection and Privacy

With a background in IT security and privacy, Gabor is an expert in web tracking and fingerprinting technologies, anonymization and re-identification.

Sign up to our newsletter