Carding is one of the earliest forms of cybercrime. Since the 1980s, cybercriminals have developed various fraud tactics to steal and monetize credit card information. To prevent these types of attacks, financial institutions have developed anti-fraud measures to detect and prevent fraudulent transactions. These security precautions include checking various parameters like IP address, operating system, and browser fingerprint. This has spawned a cybercrime ecosystem of marketplaces selling fingerprints, referred to as “bots,” which are sourced from commoditized credential stealing malware.

In the beginning there was Genesis, an underground marketplace associated with “Genesis Security,” a browser plugin developed by the market administrators. On the market, users can buy stolen browser credentials, logins, passwords, and cookies that are harvested from a victim’s device. The Genesis Security plugin allows users to load data purchased from the marketplace and then modify it to create browser fingerprints. Since launching in 2018, several other marketplaces have also materialized: Amigos, Mouse in Box, and Russian Market.

Cybercrime web marketplaces selling bots have grown in the past 4 years. These shops can also provide a turn-key solution to utilizing stolen credentials to bypass browser based online retail or banking authentication mechanisms. In this presentation we perform a large scale analysis of this ecosystem across 4 bot shops. We crawled data and performed manual analysis to provide some insight into overall marketplace trends, overall infection trends, backend infrastructure, and cybercriminal profit.