Cybersecurity experts warn that a notorious hacker marketplace is being used by ransomware gangs to breach U.S. companies and government organizations.
The Genesis Market is an easy-to-use online shop that sells login credentials, cookies and device fingerprints, website vulnerabilities and othersensitive data that help hackers thwart security protocols. Security researchers warn that the market, along with other criminal sites, have become an important tool for hacking organizations to carry out these attacks.
Genesis launched in 2018 and is linked to a number of recent cyberattacks, including a breach of video game publisher Electronic Arts in June of this year that resulted in the loss of sensitive data, including the source code for the game FIFA 21.
Among the raft of personal data (hacked from some of the world’s largest commercial sites, including Target, Marriott and Equifax) available for sale on the invite-only shop, the most popular are stolen cookies and device fingerprints. These digital profiles, planted on your machine after you log into a website or app, contain passwords and other personal information for services such as Gmail, Facebook, Netflix, Spotify and others.
Accounts for sale
Governments and companies are already on red alert for ransomware after law enforcement agencies like the FBI and the Cybersecurity and Infrastructure Security Agency recently warned them to expect more cyberattacks this fall.
“Genesis will certainly play a major role in a future ransomware attack,” said Dan Woods, a digital forensics expert at F5 Security who spent 20 years as a cyberterror investigator for law enforcement agencies including the FBI and CIA. “Right now, there are tens of thousands of ‘accounts’ for sale, so I would be surprised if it hasn’t already been used to enable, directly or indirectly, many ransomware attacks.”
Much of the market’s appeal is its ease of use. Similar to how Amazon helped third-party sellers conduct ecommerce on a large scale, Genesis’ one-stop-shop simplicity has made it a popular destination for hackers. Unlike dark web marketplaces that require special software and only accept payment in obscure cryptocurrencies, for instance, Genesis is hosted on the regular internet and sports a modern interface that even offers an FAQ page for new users.
This is a notable advantage for the number of ransomware organizations that operate from countries where the virtual private network software necessary to access dark web markets is restricted, Woods said. “The nature of the dark web means it’s hard to access for potential customers, and it’s a pain in the neck for sellers. Genesis makes it easy to buy and sell.”
The site is growing rapidly, a possible indication that it has proven useful to “ransomware-as-a-service” gangs, said Alejandro Caceres, director of computer network exploitation at QOMPLX.
“I would be surprised if ransomware gangs were not using Genesis and markets like it,” he said. “It reduces the barrier to entry for buyers and for sellers. If you’re a criminal hacker and in it for the money, it’s a great value proposition.”
When Genesis launched in late 2018, it offered a handful of hijacked digital identity accounts known as “bots” (unrelated to the automated software programs by the same name). Today, there are over 400,000 bots for sale on the site.
“These are pros”
While Genesis will accept payment in Bitcoin, bot prices are listed in dollars. Prices range from a few pennies per bot to over a hundred dollars for accounts that contain login information for mainstream consumer websites.
Genesis has been able to evade law enforcement because the operators are anonymous and have good operational security skills, said Caceres, a former hacker himself. “These are professionals who know how to cloak their IP address and traffic,” he said. “Some markets are run by amateurs, but they’re usually caught quickly. Genesis has been growing for several years with few, if any, of the typical mistakes that a lot of dark website operators make. These are pros.”
“Ransomware groups are looking for a repeatable and sustainable process for making money, Caceres said. “They need job security and that comes from a constant stream of compromised assets. Could they spend time and energy compromising sites on their own? Sure. But it’s easier and cheaper if they can just go buy the accounts.”