Fraudster’s Marketplace Shares Sophisticated ATO-bot Fraud Tools

Actimize Fraud Product Team, Fraud Detection & Prevention
Fraudster’s Marketplace Shares Sophisticated ATO-bot Fraud Tools

Perpetrating complex fraud isn’t overly taxing; it’s as easy for fraudsters to procure the tools to infiltrate financial institutions (FIs) as it is for any consumer to buy a smart home system on Amazon. 

Malicious e-commerce sites, such as Genesis Marketplace, make shopping for a broad variety of illicit tools a simple and easily accessible experience for fraudsters. For as little as $5 to $25[1], fraudsters can get a bot embedded with stolen enterprise or personal data, leading to a huge ROI for this criminal activity. 

For industry insiders, Genesis Marketplace isn’t a new development, and it’s certainly not dormant. It garnered mainstream attention and notoriety on popular media when the site was linked to the highly public data breach of Electronic Arts, a leading video game publisher, in June of 2021.[2]

Genesis Marketplace continues to be a major presence today in fraudster networks and communities and a source of continuous concern for fraud strategy and cybersecurity leaders. Recently, we have seen an increase in fraud losses related to account takeover (ATO) bots. This emerging attack vector has significant implications for fraud and authentication program investments and how FIs approach modern fraud prevention.

Attack of the ATO-Bots

Back in 2020, Genesis Marketplace accounted for over 65% of fingerprinting service mentions in fraudster and cybercriminal forums.[3] It has not only outlived comparable online illicit marketplaces over the years, but it has demonstrated substantial growth and remains stronger than ever. In early 2021, the site gained about 5,000 new listings in only two months, reaching a total of over 350,000 illegal listings. Only two years prior, the site featured approximately 100,000 stolen credentials for sale.[4] This is also not a deep or dark web resource for criminals; Genesis Marketplace is available on the clear and open web and access is governed by a simple to obtain invitation code.

Genesis has even taken a page from its legitimate contemporaries to create a modern shopping experience. The marketplace provides a streamlined interface that mirrors many household-name e-commerce sites, and there’s even a convenient FAQs section and customer support desk with a ticketing system for the intrepid fraudster to better utilize its offerings.

One such offering is ATO-bots, which generally can be described as man-in-the-middle exploits that harvest a user’s credentials, cookies and online browser fingerprints. Essentially, ATO-bots eliminate the legwork of obtaining multi-factor authentication (MFA) codes and automate attacks.

An incredibly important factor in an FI’s authentication efforts is device fingerprinting during online banking sessions in order to validate a customer’s login experience and prevent payment fraud. Fingerprinting enables an FI to discern when a customer is using a new device, an unrecognized browser, or changes therein depending on an organization’s risk tolerance or regulatory obligations. In instances where there’s a suspicious or unusual change in fingerprinting, the FI typically employs MFA in the form of a one-time password that’s delivered to the customer via text (and sometimes via email) to ensure that the customer is the actual party logging into the account. It’s important to note in the U.S., MFA via one-time passwords and email is strongly discouraged by the Federal Financial Institutions Examination Council (FFIEC). In other regions, these “weak authenticators” are already a thing of the past as organizations beef up authentication and fraud controls to thwart fraud and protect the account experience of an FI’s hard-earned customers. 

Intercepting MFA codes prior to an account takeover can be something of an arduous journey. Bad actors have to resort to social engineering such as fraudulent text messages (smishing), fake emails (phishing) or calls to the customer or contact center (vishing), respectively to procure these MFA codes.

ATO-bots provide a cheap, effective workaround to the authentication defenses against cybercriminals: 

  • Automating these attacks via bots is a sophisticated technique for any common fraudster, but Genesis Marketplace makes these tools simple and easy to use at scale for cybercriminals.
  • ATO-bots remove the need for a fraudster to rely on time-consuming social engineering tactics, especially where automation is not employed to facilitate the social engineering scam.
  • Using information gleaned from ATO-bots, cybercriminals aren’t prompted for MFA codes.
  • ATO-bots gather data such as personal information, passwords, and fingerprints, or unique identifiers that include IP address or screen resolution, for example. From the technology’s perspective, the fraudster is almost a twin of the actual customer online. 

Account takeover was the most prevalent bot attack in 2021, and this form of bot attack was most commonly aimed at the Financial Services industry,[5] though all organizations are at risk. We’ve been monitoring this development as a natural evolution in the trajectory of account takeover fraud, which rose nearly 150% last year.

Beware of the Customer Impact of Genesis Marketplace 

The unchecked progression of Genesis Marketplace is greatly impacting the industry in areas that we believe are not being fully recognized and appreciated, most particularly the customer impact. ATO-bot attacks have serious ramifications for the customer experience, which continues to be a key initiative in FIs’ digital transformation agendas as they contend with a diversifying competitive landscape – including non-bank payment players, payment platforms and FinTechs. 

When an ATO-bot is successfully deployed, but goes undetected by the FI, the payment cash-out resembles an authorized transaction by the customer. We call this type of attack “unauthorized payment fraud,” and it’s already extremely problematic in the industry across different regions. 

Once the customer realizes that a fraudulent payment has occurred, the common methods of disputing the losses through fraud reporting aren’t usually successful. Since all signs point to the transaction being legitimate, the bank falsely assumes that it was really the customer that logged in and executed the payment. 

Customer losses related to ATO-bot attacks also contribute to attrition. Fraud has an emotional cost, and customer loyalty is impacted when fraud occurs. Statistics indicate that in general, customers who experience fraud at their primary bank, regardless of whether they were satisfied or dissatisfied with how it was resolved, are four times more likely to switch to a competitor bank. A recent study has also shown that customers perceive their primary FI as being the foremost responsible party when it comes to preventing fraud.[6]

As ATO-bots continue to gain traction with fraudsters, we anticipate that this is going to drive further attention toward fraud and authentication programs. So what’s the next step for FIs?

Responding to the ATO-bot Threat

To raise industry awareness of this evolving threat, we strongly encourage a discussion of this issue in conversations related to payments fraud and ATO attacks. Multi-layered fraud detection and prevention is vital to modern enterprise fraud management, including behavioral analytics and biometrics, cybersecurity tools, and real-time payment transaction monitoring that enables FIs to quickly respond to unusual or anomalous activity.

In the fight against malicious and orchestrated ATO-bot attacks, FIs have to develop analytics around authentic human interactions, and target behaviors rather than solely focusing on signals such as fingerprinting. Artificial intelligence (AI) and machine learning (ML), as well as automation, are vital in helping banks understand and monitor customer behaviors at scale and in real-time. 

  • Omni-channel authentication can enable FIs to leverage a combination of cutting-edge authentication techniques and capabilities in a cohesive manner and provide a more consistent authentication experience to prevent undue customer friction.
  • Real-time, risk-based decision-making and interdiction can ensure access for legitimate customers while challenging risky or suspicious users to mitigate ATO attacks.
  • Dark web intelligence with curated data feeds that are integrated into analytics can help FIs identify the latest trends and tactics utilized by fraudsters to compromise accounts so they can proactively deploy countermeasures.
  • Educate customers about the risks to their digital identity and what specific steps they can take to better safeguard their identities. 

The biggest takeaway here is that having the right smart technologies in place that can adapt alongside a constantly evolving threat landscape, such as ATO-bots, is an FI’s best weapon in staying ahead of new and emerging fraud. 

As always, stay safe and vigilant in the fight against fraud. 


[1] Schwartz, M. (2022, February 3). Buying bot-stolen logs: marketplaces make it ‘2-easy.’

[2] Patterson, D. (2021, September 9). Inside Genesis: the market created by cybercriminals to make millions selling your digital identity.

[3] Security Magazine. (2021, May 6). Inside look at the Genesis Market, a cybercriminal market.

[4] Gracey-McMinn, M. (2021, June 10). The insidious problem with bots is exploding.

[5] Businesswire. (2022, May 18). 42.3% of internet traffic in 2021 wasn’t human as account takeover and online fraud increases.

[6] Prnewswire. (2022, April 5). IBM study finds broad geographical, generational impact of financial fraud and attitudes towards financial institutions. 

Speak to an Expert