orange arrow

“Anti-Detect” Browsers: Is Browser Fingerprinting Defeated?

Written by Jake Kruse

Executive Summary

For years, cybercriminals and fraudsters have dealt with many variations of the same problem: once they have obtained access credentials of their victims to a particular online application or website (e.g., online banking), how can they be easily exploited or monetized? Security and fraud prevention techniques such as geofencing, trusted devices, and two-factor authentication have made it much more complicated - but by no means impossible - for a threat actor to “take over” a victim’s account using compromised credentials. In recent years, browser fingerprinting technology specifically posed a significant challenge for cybercriminals and fraudsters. Yet, a fresh surge in development by cybercriminals of advanced “Anti-Detect” browsers are enabling cybercriminals to defeat browser fingerprinting controls with relative ease and scalability. Furthermore, such tools are enabling evermore would-be cybercriminals to enter a world previously dominated by more technically-experienced actors.


A Primer on Browser Fingerprinting

Many companies today use browser fingerprinting to authenticate users. Internet browsers can be identified by far more than just the user agent string. Web servers can identify up to several dozen attributes of varying degrees of uniqueness that can be used to identify an individual user such as:

  • Installed fonts
  • Installed plugins
  • Browser extensions and support (WebGL, etc.)
  • Supported / Preferred Language Settings
  • Time zone
  • Screen Resolution

The uniqueness of each of these attributes may vary, but when a sufficient number of these attributes are combined together, they generate a fairly unique fingerprint to identify a user’s computer. Consequently, browser fingerprinting emerged as a popular method to authenticate users and reject unauthorized access attempts.

However, as is typically the case, cybercriminals have adjusted. As organizations have begun to utilize browser fingerprints to better detect account takeover and fraud, malware has also evolved to focus on capturing all of these elements in addition to account details such as usernames and passwords. Presently, even the most basic ‘stealers’, which can be purchased in the cybercriminal underground for usually $50 or less, are easily capable of stealing fingerprints.


The Response: “Anti-Detect” Browsers

Technically-savvy cybercriminals have developed tools to effectively emulate a victim’s device and browser. In the cybercriminal underground, such tools are commonly referred to as “Anti-Detect” browsers. The number and popularity of such tools has grown substantially since 2018. The most popular “anti-detect” tools are Linken Sphere and the aptly-named Anti-Detect. Other popular tools include:

  • Genesis
  • Kameleo
  • Indigo
  • Antbrowser
  • AFF Combine
  • Vecktor T13
Linken Sphere’s Main Website
Linken Sphere’s Main Website

Generally, such “anti-detect” browsers bring together all of the necessary tools to evade modern cybersecurity and anti-fraud detection mechanisms in a single window, as shown:

Linken Sphere Session Set Up
Linken Sphere Session Set Up

The user can configure nearly every detail of how the browser will present itself to remote websites, and easily configure a proxy to use in conjunction with fingerprint behavior. So, a fraudster who has successfully compromised a victim’s machine can simply load that victim’s browser fingerprint into an “anti-detect” browser and proceed to log in to the victim’s account (for example, online banking, e-commerce). With a browser fingerprint that matches the victim’s, nothing unusual will be detected at login, and the fraudster can proceed to attempt to commit some kind of fraud or malicious activity.


Recommendations

With the growing popularity of “anti-detect” browsers, traditional browser fingerprinting and other security solutions are unable to prevent unauthorized account access and takeover. Consequently, companies facing customer account takeover and fraud must find alternative or complementary solutions, including:

  1. Leverage intelligence to proactively identify customer accounts that are at high risk of takeover, and action them to mitigate the risk.
  2. Analyze popular “anti-detect” browsers and their interactions with online applications to identify indicators and patterns that can be used to detect unauthorized logins.

Learn how Q6 Cyber’s unique E-Crime Intelligence platform can help you do all that and more to bolster your information security and anti-fraud programs.


 

About the Author

Jake Kruse is a Senior Security Engineer at Q6 Cyber. Jake leads in-depth technical analysis and reverse engineering of tools, techniques, and practices (TTPs) of threat actors around the world. Prior to Q6, Jake was an analyst with the Department of Defense and has worked for many years in the industry.