Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale

TL;DR

This paper uncovers an emerging criminal infrastructure called Impersonation-as-a-Service (ImpaaS) that enables large-scale user impersonation, bypassing multi-factor authentication and risking widespread security breaches.

Contribution

It introduces the ImpaaS model and analyzes a real-world Russian platform, demonstrating its growth and capabilities in facilitating large-scale impersonation attacks.

Findings

ImpaaS enables systematic evasion of authentication controls.

The platform provides up-to-date user profiles for over 260,000 users.

ImpaaS is a growing threat with semi-automated attack capabilities.

Abstract

In this paper we provide evidence of an emerging criminal infrastructure enabling impersonation attacks at scale. Impersonation-as-a-Service (ImpaaS) allows attackers to systematically collect and enforce user profiles (consisting of user credentials, cookies, device and behavioural fingerprints, and other metadata) to circumvent risk-based authentication system and effectively bypass multi-factor authentication mechanisms. We present the ImpaaS model and evaluate its implementation by analysing the operation of a large, invite-only, Russian ImpaaS platform providing user profiles for more than $260'000$ Internet users worldwide. Our findings suggest that the ImpaaS model is growing, and provides the mechanisms needed to systematically evade authentication controls across multiple platforms, while providing attackers with a reliable, up-to-date, and semi-automated environment enabling target selection and user impersonation against Internet users as scale.