Inside the Market for Cookies That Lets Hackers Pretend to Be You

Last week Motherboard revealed that hackers stole a wealth of data from game publishing giant Electronic Arts, including source code for the Frostbite engine and FIFA 21 game. The hackers said they did this, in part, by purchasing a cookie for $10 that let them log into an EA Slack account, and then tricking EA's IT support into granting access to the company's internal network.

Now, a representative for the hackers has told Motherboard where they allegedly bought that cookie: Genesis Market, an invite-only underground site where cybercriminals can source cookies that have been lifted from hacked computers for a cornucopia of services.

"Can filter for sale by URL," the representative of the EA hackers said in an online chat, specifying that criminals can search for domains such as Slack or Okta, a popular cybersecurity and sign-in service designed to make access to company assets more secure.

"Example .okta.com, .enterprise.slack.com, etc," they wrote.

A handful of cybersecurity companies and trade publications have covered the site in the past few years. But its alleged link to a high profile breach demonstrates its increasing relevance in the digital underground.

Cookies are small files stored on your computer that can hold all sorts of information. Sometimes they can be used by advertising firms to track browsing activity from site to site; other times they're used for storing login details and keeping you logged into different websites. On Genesis, criminals don't just buy one cookie; they buy exclusive access to a "bot," a compromised computer that is part of a botnet which could contain any number of login details. But more importantly, Genesis also lets customers essentially recreate a one-to-one replica of that victim's browser, with their cookies and device fingerprints intact.

"Someone is essentially getting a perfect mask of you," Matthew Gracey-McMinn, head of threat research at cybersecurity firm Netacea which has investigated Genesis, told Motherboard. In some cases, using data bought from Genesis could let a hacker bypass two-factor authentication, because the logged in service may not prompt a user who appears legitimate for the extra code from their phone, for example. In the website's eyes, whoever is logging in is using an already known device.

This sort of data makes a hacker and the victim "pretty much indistinguishable," Gracey-McMinn added.

Whereas bots are often used for re-routing a hacker's traffic to make it harder for law enforcement to identify their location, or carry out distributed denial of service attacks, Genesis has presented an opportunity to diversify a botnet owner's income stream, Gracey-McMinn said.

"We're on these computers, we can see everything happening on them. Why don't we exfiltrate that data as it comes in—login credentials, browser fingerprints, the whole works," Gracey-McMinn said.

When selecting a bot to purchase, Genesis shows a user what particular sites are included, according to screenshots and videos shared by Gracey-McMinn and Dan Woods from cybersecurity firm F5 which has also tracked Genesis. One bot for sale had 5,000 cookies linked to it across multiple web browsers, and included sites as diverse as Facebook, Spotify, Reddit, Pinterest, Apple, Netflix, Binance, GitHub, Steam, Instagram, Adobe, Amazon, Google, Tumblr, Twitter, Dropbox, PayPal, LinkedIn, NvidiaStore, EANetwork, and Slack.

Both Gracey-McMinn and Woods said that a search for bots across the marketplace mentioning Slack returned over 3,500 results. The number of listings overall has grown substantially, with nearly 400,000 listings available, both researchers showed Motherboard.

The site itself provides a slick, self-service interface for users. Woods showed Motherboard customer support communications he had with the site administrators while using the marketplace. The responses were in perfect English.

After buying a bot, hackers can simply take the exposed login details included in cookies such as email addresses and passwords and access the relevant sites. Or, they can use a browser plugin that Genesis offers which lets the hackers use the exposed information to mimic the victim on a much more convincing level. Here, Genesis will create a configuration file—the mask that Gracey-McMinn mentioned—that the hackers then import into their own browser. The first file is free, but customers need to pay to generate new configuration files based on the cookies and browser information after that, screenshots showed.

And new data may keep flowing in. The customer doesn't necessarily just buy a bot, use the credentials, and move on. If whatever malware which is collecting the information is still active on the victim's machine, Genesis will update itself with that new data, and notify the user when it arrives.

"If I've bought early, I've essentially got a great bargain. I could get something that would eventually be worth hundreds of dollars for 70 cents," Gracey-McMinn said.

Gracey-McMinn said they think Genesis is a single seller marketplace, with only one group of people selling information gleaned from malware. Woods believes that the creators of Genesis originally populated the marketplace with items collected with their own malware, and then allowed others to sell products too. One reason is that out of the hundreds of thousands of bots on the market, some of the bot names, a series of alphanumeric characters, have a constant substring in them.

"We think that is tied to a particular group," Woods told Motherboard.

Both researchers said they believe information from Genesis is being used in real-world attacks. Specifically Woods said F5 has reverse-engineered the Genesis plugin so it can observe when attackers use it against their customers. Woods said they've observed dozens of attacks related to Genesis, but cautioned that attacks where hackers simply use the exposed login credentials themselves rather than the plugin will be harder to detect.

Now with the EA hack, it appears high profile organizations are being targeted with compromised cookies too.

"These people are professionals; these aren't pickpockets," Gracey-McMinn said of the Genesis administrators.

Subscribe to our new cybersecurity podcast, CYBER.