What is the 'Genesis Market' that was the cause of the large-scale leak that sells login information for only 1000 yen?

Computer game sales company

Electronic Arts (EA) was hacked and a large amount of source code was stolen, it was reported on June 10, 2021. The hacker who made this attack was found to have purchased EA's Slack account login information for about 1000 yen at an underground site called 'Genesis Market'.

Inside the Market for Cookies That Lets Hackers Pretend to Be You

It was discovered on June 10, 2021 that EA, known for its ' Battlefield ' and ' FIFA ' series, was hacked and a large amount of source code and internal tools were stolen.

780GB of source code and internal tools that were hacked and stolen by EA will be sold --GIGAZINE

The IT news media Motherboard reported that the hacker who caused the incident used a cookie purchased for $ 10 to log in to EA's Slack account and trick IT support personnel into inside the company. He said he had invaded the network.

Motherboard has been in contact with the hacker and has identified the hacker's purchase of cookies on an invitation-only underground site called 'Genesis Market.'

A cookie is a small file that allows your computer to store a variety of information. Information entered by the user on the website, login information, etc. can be saved on the device as cookies. You can read about how cookies work from the following.

What is a cookie? | GIGAZINE.BIZ

Websites also use advertising company cookies that are unrelated to the websites they visit, allowing them to track user behavior outside of their own site. This is called a third-party cookie, and in recent years there have been concerns about its use from the perspective of privacy.

According to Motherboard, Genesis Market allows hackers to create 'replicas' of the target browsers through cookies and device fingerprints.

Matthew Gracey-McMinn, head of research at cybersecurity firm Netacea, who researched Genesis Market, said that hackers can sometimes bypass two-step verification with data purchased from Genesis Market. This is because users who log in using Genesis Market data appear to be 'legitimate users,' and 'this kind of data makes hackers and victims almost indistinguishable,' Gracey-McMinn explains. did.

In addition, hackers attacked the EA is not simply had to purchase one of the Cookie, botnet to work as part of the bot was purchased exclusive access to. Bot, a type of malware, is commonly used for purposes such as 'making law enforcement agencies unable to locate hackers' or 'DDoS attacks.' On the other hand, Genesis Market makes it possible to obtain cookie information related to web services by using bots, and it is sold in units such as 'bots linked to 5000 cookies'. Web services include Facebook, Apple, Netflix, GitHub, Steam, Instagram, Adobe, Amazon, Google, Tumblr, Twitter, Dropbox, PayPal, LinkedIn, Slack, Spotify, Reddit, Pinterest and more.

Hackers who attacked the EA said that Genesis Market can 'filter by URL' for targeted web services. In fact, when Gracey-McMinn et al. Searched for bots related to 'Slack' on the Genesis Market, it was found that there are more than 3,500.

The total number of bots sold on the Genesis Market was about 400,000.

Hackers who purchase bots can obtain login information contained in cookies, such as email addresses and passwords, so that they can access those websites. You can also use the Genesis Market browser plugin and login information to imitate the victim at a finer level. Moreover, if the bot is still active, information will continue to be collected, so data will continue to flow in without purchasing a new bot. 'Basically, if you buy early, it's a bargain, because in the end you can get something worth hundreds of dollars (tens of thousands of yen) for 70 cents (about 77 yen).' Gracey-McMinn said.

Gracey-McMinn and colleagues believe that there is only one group behind the Genesis Market. It seems that this group originally sold the information it collected using malware, and later made it possible for others to sell the information as well.

Researchers say that by reverse engineering a plugin in the Genesis Market, it is possible to monitor attacks through the plugin, but it is also difficult to detect attacks that do not use the plugin.

in Security, Posted by logq_fa