So, as a web programmer, I'd like to infer how this data got into the marketplace in the first place. The offerings are all powered by browser data exfiltration! Which means their vector is another process on the host, or it could be a malicious browser extension, or a resource 0-day. Or the tokens could be exfiltrated from from the server-side, too.)
Chrome has a browser extension API which allows plugins to access all cookies, but its use is considered suspicious and a red flag; an extension which uses it would generally get caught during initial review. However, Chrome extensions are also allowed to “hotload” portions of their own code/scripts from external 3rd party servers.
So an extension will seem benign when it initially gets checked by Google as part of becoming part of its submission to the Chrome Store. Then, later, the external “3rd party” script that is hosted remotely will get replaced with a different, malicious script. The malicious extension carries on stealing cookies, credentials, and fingerprints until someone reverse engineers it and reports it to Google.
Google will not always recognize the issue immediately because the 3rd-party malicious code is not strictly “part of” the extension so there’s a bit of a song and dance while the person who reversed it convinces Googles reviewers that “yes, this really is actually malicious, you need to analyze the third party code that loads later” and then Google eventually takes it down after a semi-involved back-and-forth where extensive documentation and video walk-throughs are provided by the exasperated white-hat Good Samaritan.
Remote loading of code has been banned by Google and Mozilla for several years now. The automated review tools pick up script injection and eval() calls. Unless you can craft something unique, you’re not going to get past the automated review.
I’m guessing the malware is something else besides a browser extension.
stuff like setTimeout accepts strings too. I wonder how good those scanners are at detecting overwriting an initial innocent function that's later called in a timeout with a string, it can get fairly indirect
let harmless = { func : function() { }, harmlessExternallyLoadedString : '' };
let toAccess = 'func';
//do stuff that seems legit
if(true) {
let toAccess = 'harmlessExternallyLoadedString';
}
harmless[toAccess] = 'alert(1);'; //imagine this being a fetch request
//later on
setTimeout(harmless.func, 1);
now imagine the logic for what othervar is set to is obfuscated a bit by a more complex logic tree, and the example was a bit less contrived.
Genesis infect your computer with a persistent malware (the "bot" as mentioned in the article) which let their customer who bought access do anything on the infected machine. There are plenty of way your computer can get compromised, which will install the botnet client as the final payload.
Wait so its not a market? I thought this was a resource where black hats go to sell their data. But you're saying that Genesis is the only black hat, and their "market" is just selling their own data?
Yep. But there was nothing stopping a black hat from contacting the admin and selling their own botted data to genesis shop. Criminal organizations have supply chains.
I don’t have any insider knowledge or anything but only suspicions - I have friends who have developed relatively simple browser extensions like dark mode ones / filtering ones etc.
Once they get to like 100k DAU popularity level you’ll start getting emails from people who claim to want to purchase the extension from you for a few thousand or “sponsor” the development by supporting you with ads.
You either sell it, or include some JavaScript that later (few weeks) turns malicious and starts harvesting.
That’s probably how. Like I say, I have no idea if that’s how these people work, but it seems a likely attack vector.
malware spread by email. this is how yotube channels get hacked for Elon crypto scam livestreams. the session is hijacked too.
a second way is through chrome extensions that log cookies and form data. the old cookies can be replaced with the new, stolen session via cookie editor
Does anyone know how they get this data?