CyberWire Daily - Profiling the Linken Sphere anti-detection browser. [Research Saturday]
Episode Date: January 11, 2020Multiple e-commerce and financial organizations around the world are targeted by cybercriminals attempting to bypass or disable their security mechanisms, in some cases by using tools that imitate the... activities of legitimate users. Linken Sphere, an anti-detection browser, is one of the most popular tools of this kind at the moment. Staffan Truvé is the CTO and Co-Founder of Recorded Future, he joins us to discuss their new report on the browser. The research can be found here: Profiling the Linken Sphere Anti-Detection Browser Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So LakenSphere is a browser which allows the user to, you could say, masquerade in different ways.
So in its easiest form, it allows the user to change some of the characteristics
which make up the so-called fingerprint of the browser.
That's Stéphane Trouvé.
He's the co-founder and chief technology officer at Recorded Future.
The research we're discussing today is titled
Profiling the Lincoln Sphere Anti-Detection Browser.
Of course, the use for that is that if you're connecting from the same machine and trying
to sort of have different personalities, different identities, you need to change these kinds
of parameters.
So that's one part of it.
The other part of Linkosphere is that it's a platform for essentially hiding that it's
a machine and not a human that's communicating through the browser.
Examples of how you can do that, for example, is if you do text input,
it has the capacity to change the timing so it looks like a human typing
and not a machine putting in information, for example.
It can also change between appearing to be a normal laptop-based browser and a touchscreen-based browser.
And so what's the background in terms of the origin of this?
Where did it come from? Who developed it?
So this has been around for a couple of years now,
developed by what we assume is a Russian guy who did this.
And the reason we decided to do some deeper dive into it now
and explore its capabilities
was that they released a new version this summer.
We thought it was interesting to see
what kind of new features they have put in there
and also what the community using it was talking about.
So we've been tracking it
both through the developer's own website,
things like that,
but also by looking in various criminal forums and seeing what kind of discussions are going on there,
what are people asking about, and essentially how well supported is the product.
Now, as is the case with many of these tools that have multiple uses on both sides of the fence,
the developers here list a number of legitimate uses for it.
What sorts of things are they saying that are the legitimate reasons for having a tool like this?
Well, you know, so they are saying that this can be used for penetration testing. It can
be used if you're testing your system, you know, so we're actually using some similar tools
ourselves when we develop our own user interfaces. It can also be
used, they claim, for privacy. If you're working in an environment where you are afraid of, say,
government or someone else intervening with you, you know that you can get higher privacy through
this. And these are all legitimate cases. you know, those are all good cases why people in different situations could want a tool like this. But then, of course, you know, as we've been writing about, you could also find a number of not quite as legitimate uses for it.
Well, let's go through your research here. I mean, what are some of the key things that you all were looking at?
We really did this as a product evaluation, you can say. So we started out by checking
out the pricing and the kind of support you get. And I would say the overall conclusion
on that side is that this is a very professional organization providing this, you know, so
they are very open about their license terms. You can license Lite and the Pro and the Premium version.
You can have it for different times.
And they're very clear about what kind of capabilities you get with the different licenses.
So in that sense, it all looks like a very legitimate product, you know, good support.
Also appears from the way they are answering questions about it that they have a good
customer support organization.
People ask things, they both reply themselves, and there's a community of users who reply on questions about how to use it and how to set it up and so on.
The pricing starts at $100 per month. I mean, that sits somewhere in there where it's not out of reach for a lot of people, but I can imagine that it's something that an amateur would be willing to pay for as well.
No, you're quite right.
This is not something which people would sort of, you know,
you wouldn't throw out that money just for fun.
So you should have a legitimate economic case for paying that kind of licensee.
Absolutely.
Now, your research here, you go through quite a bit of detail in your thread analysis.
Can you walk through some of the interesting things that you found here?
The first part is really the way it allows you to hide in different ways.
So first of all, we should say that this is based on Chromium.
But of course, they've stripped out anything which calls back, for example, to Google services and so on.
So when you're using this, you could feel secure that you will not be tracked.
There are no tracking mechanisms that we have found, at least in the product as such.
And then the first part maybe is that you can, as I said said you can use that to essentially configure what your
profile will look like you know what operating system what browser what kind of machine time
zone and so on which you can do which you appear to be coming from when you use this
so very handy and you can think of one reason you want to do that is for example if you want to
And you can think of one reason you want to do that is, for example, if you want to, let's say, go to the same website multiple times with short time in between and not appear to come from the same machine, then that's excellent because you can then set up so you have a new profile every time you go there.
A use case for that, for example, could be if, you know, let's say that you're in the business of trying to manipulate, say, customer ratings, for example. You could very easily, using this tool, you could go to something like TripAdvisor or something like that a hundred times and put in new reviews.
And it will look like it's different individuals putting in those reviews.
So that would be one simple use case for that functionality.
And it has the ability to automate that, right?
that functionality.
And it has the ability to automate that, right?
It's fairly easy to spin up those, I guess
to randomize those
settings? Yes, it has
the ability. Essentially, and what you get is
that you get, even with a
subscription, you get a bunch of
settings. So you get a bunch of profiles
from scratch, but you can also add your own.
That's very, very simple.
And the other interesting thing, which I think is maybe the most interesting part,
is that apart from being able to do this manually or semi-manually,
there is also an API which you can use with Linkosphere.
So through the API, you could have a script, you know,
it could be a simple shell script, or it could be a program
which connects to the API and does
very high volume accessing, for example.
So you could imagine if you have access, say, late credentials from a website, let's say
you have a few thousand or hundreds of thousands of credentials for a website and you want
to loop through those to check which ones are actually valid, which you can get access
with, then you could write a little program which would go through this API,
have a new profile every time, and then try to get in there and you will record
that. So it's a great platform, if you like, for
validating those kind of things.
So in terms of it being successful and doing what it sets out to do, in other words, this is a difficult
thing to circumvent. It's successful in doing what it sets out to do. In other words, this is a difficult thing to circumvent.
It's successful in making you appear as though you're coming from the things it's pretending,
the settings that it's sort of randomizing. Yes, exactly. Exactly. So I think, you know,
it's, as we say, it's extremely hard to put any new kind of defense. I mean, if you look at the
kind of ways that, for example,
an e-commerce site, something that would try to defend against
someone coming with, you know, doing multiple logins, for example.
One of the few tools you have there is looking at the originating IP address
or this kind of browser profiling.
And since LinkSphere can connect through a Tor network, for example,
it will be very hard or impossible
even to track the IP address.
In combination with fake fingerprinting,
it would be virtually impossible
to defend against that kind of tool
when someone's using it.
Our thanks to Stéphane Trouvé for joining us.
The research is titled
Profiling the Lincoln Sphere Anti-Detection
Browser. We'll have a link in the show notes. Cyber threats are evolving every second,
and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to Thank you. ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.