In this second post on the techniques used by fraudsters, Gabor Gulyas, member of Pantopticlick, focuses on device spoofing and anti-fingerprinting.
In a previous article, I went over some of the basic techniques fraudsters use for browser spoofing and user agent spoofing.
Today, we’re going for another deep dive, inspired in part by the research paper Taming the Shape Shifter: Detecting Anti-fingerprinting Browsers. It’s going to be quite technical, but a fascinating look at how the bad guys operate!
What Is An Anti-Fingerprinting Browser?
Fingerprinting has two purposes on the web: advertising parties use it to track people and collect information about them, and anti-fraud teams, like SEON, use it for detecting fraudulent activities, even when fraudsters try to hide their devices.
Alongside the development of device fingerprinting techniques, anti-fraud device fingerprinting solutions also become increasingly sophisticated, pushing fraudsters and their suppliers to develop their own browser tools, purpose-built to evade detection.
This gives anti-fingerprinting browsers a euphemistic name: they are branded as protecting people’s privacy against tracking. While this is true, their price and the technical skills needed to use them makes it clear: these products focus on a different market.
In a way, it’s like anti-anti fraud detection. And as you can imagine, those who use them not necessarily have the best intentions in mind.
In fact, these anti fingerprinting browsers are built for device spoofing that’s tailored to mimic the online configuration of a real user – useful if you want to have a stolen credit card number or bank account and want to pass off as the legitimate owner.
These tools also allow rapid configuration switching to change their online “appearance” every minute. This is used to avoid detection of repeated attempts, and to test the best configuration that can scale, for instance, to cover automated bot attacks.
Three Levels of Device Spoofing
One way to discover the latest fraudster techniques is to crawl through dedicated underground forums. It’s something the SEON team is quite accustomed to, and this is where the authors of the aforementioned paper compiled a list of all the fraudsters’ tools of the trade.
We can split these into three categories.
Due to their nature, these tools are typically implemented as browser extensions. Some are shipped in modified browsers, while others are extensions that need to be installed manually.
When a site tries to gather information about the browser, it’s met with manipulated data. For example, a site trying to access navigation.userAgent will get a different value than that of the default of the browser.
- Strengths and Weaknesses: These tools sacrifice features for ease of use. Fraudsters can easily buy, install and maintain them, but they’re also easier to detect with the right solution, for instance, a string comparison.
Native Spoofing Tools
Native spoofing is somewhat more sophisticated and harder to detect. These tools are essentially browsers that are modified at the source code level, which lets fraudsters change fingerprinting attributes in a seamless way.
Another feature: the browser can add noise to certain values to confuse the tracking. The Mimic browser, for instance, has a feature called canvas poisoning, which is supposed to fool canvas fingerprinting.
- Examples of Native Spoofing Tools: a great example is the Mimic browser. It is a Chrome-based browser that lets users block fingerprinting features and add noise to certain values.
- Strengths and Weaknesses: While it’s harder to detect the Mimic browser, it’s not impossible because some errors and inconsistencies still appear when emulating other software and hardware stacks. For example, mimicking a Windows or Mac machine from Linux will still show browser plugins with .so extensions. Canvas noise can also be detected with the right setup.
Complete Recreation of the Software and Hardware Stack
For dedicated fraudsters, the most sophisticated solution involves completely recreating a fake user environment. That means emulating the hardware as well as the operating system and browser.
Luckily, this is not only ambitious, but also very complex and expensive, which could be an obstacle to fraudsters who like to operate fast and at scale.
The bad news, however, is that while we know that tools designed for that purpose exist, these are probably used on targeted hunts and are not advertised by fraudsters. Which means fraudsters using these kinds of methods could still be undetected by standard anti-fraud tools. However, they are currently only likely to be affecting a handful of people worldwide.
- Examples of tools for complete software/ hardware stack emulation: the closest tool we know of is probably a research tool called Blink. To avoid device identification and tracking, Blink recreates a whole virtual machine stack every time it’s launched.
- Strengths and Weaknesses: Here again, small discrepancies can be detected between a real system and an emulated one. I mentioned Google’s Picasso in my previous post on browser fingerprinting, which runs graphical challenges to test the device. It could work here too.
The takeaway of this analysis is the following. While spoofing very specific configurations is possible in theory, these attacks are difficult to carry out and quite expensive; they just don’t scale. These barriers push most (or maybe all) fraudsters into using native spoofing tools that should be detectable.
What is Canvas Fingerprinting?
There are a few ways to track users across the web. Most people will be familiar with web cookies, but you can also use a technique called canvas fingerprinting. Essentially, it looks at how the canvas element (part of HTML5) is rendered on the page.
Each combination of browser, operating system and installed graphics hardware will have their own signature, which is how you can identify certain users over time. It’s the same kind of technology you will find on a website like AmIUnique.org, which shows you your fingerprinting and the proportion of users sharing the same features.
Setting Up An Anti-Fingerprinting Detection Test
So how do you detect anti-detection tools? Let’s look at an example of how the SEON fraud prevention platform does it.
In this scenario, we’ll try to detect a browser that uses noise to hide its real values. More specifically, one that generates a random font set, so that the browser “looks” like another one.
If there are any differences between the two font sets, we can assume that one of them has been installed later, which points to a spoofing attempt.
As for our own font detection website, it used a set of optimized fonts. (We could have used FingerprintJS, but our own solution got results 66.1% faster.)
After running a few tests, we managed to establish values representing real browsers versus fake ones.
That means we can now create a strong custom rule with simple thresholds. If the value is between 3 and 6, we can decrease the risk factor. Anything above or below that should make the risk score go up.
A Technological Arms Race
There is a strange dynamic between fraudsters and anti fraudsters. It’s a bit like an arms race. Whoever has the most advanced technology at the time can win, but only until the other side catches up.
The good news is that even the latest anti-fingerprinting browsers aren’t fully undetectable yet. Thanks to advanced techniques like font probing and canvas fingerprinting, which are included in the SEON platform to detect device spoofing, you can still take the upper hand against bad agents trying to exploit your business.