Dark Web Facial ID Farm Warning—Hackers Build Identity Fraud Database

Update, Dec. 27, 2024: This story, originally published Dec. 25 now includes a breakdown of the know your customer attack threat methodology that the newly discovered dark web facial identity resource brings to the identity fraud table along with mitigation against the threat and an additional example of how banking biometrics can be bypassed by determined attackers.

A dark web criminal operation that appears to have been farming facial ID images along with the genuine identity documents that accompany them has been unmasked, if you’ll pardon the pun, by threat intelligence researchers. Here’s everything you need to know about this sophisticated approach to identity theft that, it would seem likely, has been using information willingly exchanged for financial reward to build the ID farming business.

The Dark Web Facial ID Farm Threat

Researchers from iProov’s biometric threat intelligence unit have uncovered what appears to be a simple yet simultaneously sophisticated identity protection bypass operation being implemented on the dark web. Describing the significant operation as “compromising identity verification systems through the systematic collection of genuine identity documents and images,” the iProov analysts said that this demonstrates how the nature of identity fraud is evolving.

As detailed in the iProov Q4 threat intelligence update for 2024, threat-insights the unnamed criminal dark web threat group behind the operation has amassed a “substantial collection of identity documents and corresponding facial images,” which, the report said, was “specifically designed to defeat Know Your Customer verification processes.” Such systems play a key role in preventing identity fraud against banks and other financial institutions, as I reported in a recent article concerning the use of AI to bypass biometric banking security checks.

What is most interesting to me in this particular case, however, is that this doesn’t seem to have been a matter of scraping compromised biometric data from published stolen databases, but rather, it looks like the identities have been obtained by paying users for them.

The Know Your Customer Attack Process—How This Dark Web Facial ID Resource Maximizes The Threat

The iProov report warned that the discovery of this facial ID stash highlighted “the multi-layered challenge facing verification systems” and provided a breakdown of the attack process to show how organizations not only need to be able to detect fake documents but also 100% genuine credentials used in fraudulent financial applications. The attack process breaks down as follows, with details of how the newly uncovered facial ID and documents resource is involved:

Document Verification

Standard document verification processes are able to detect both altered and forged identity documents, however, the use of genuine, 100% legitimate documentation as provided by the dark web group makes this traditional verification methodology unreliable.

Facial Matching

Facial matching algorithms can accurately compare a submitted photo to the associated ID documentation. But when legitimate facial images are paired with legitimate and corresponding identity documentation, a basic verification system is likely going to be in trouble.

Liveness Detection

While there are different levels of sophistication involved in identity verification attacks, and basic attempts are always going to be easier to detect thanks to the likes of liveness detection, for example, organizations need to be aware of the total spectrum to best defend against them all. Basic methods include printed photography and manipulated ID documents, mid-tier attacks may use real-time face swapping and deepfakes paired with genuine documentation, and advanced attacks can use 3D modelling and real-time animation in an attempt to respond to liveness detection checks.

Dark Web Hackers Pay For Facial Images And Supporting Identity Documents—Users Willingly Participate

“What’s particularly alarming about this discovery is not just the sophisticated nature of the operation,” Andrew Newell, chief scientific officer at iProov, said, “but the fact that individuals are willingly compromising their identities for short-term financial gain.” And he’s not wrong, as this isn’t just a matter of selling their identity data but also risking their own security here. “They’re providing criminals with complete, genuine identity packages that can be used for sophisticated impersonation fraud.” What makes this process even more dangerous is that what we are talking about here is the perfect storm of the identity matching pair: genuine documents and genuine matching biometric data, “making them extremely difficult to detect through traditional verification methods,” Newell warned. Boom.

The Multi-Layered Mitigations Required To Fend Off Evolving Dark Web Identity Attack Resources

The researchers at iProov have a number of key recommendations when it comes to mitigating the kind of identity fraud being carried out as a result of the attack resources being compiled by these groups operating on the dark web. These mitigations can, in fact, be boiled down to one key takeaway: implement a multi-layered verification system. However, it’s important to note that iProov recommended that such an approach must include confirmation of all the following to be effective:

• Confirm that this is the right person by matching the identity as presented to the official documents.
• Confirm that this is a real person by using embedded imagery and metadata analysis so as to be able to best detect any malicious media.
• Confirm that the identity verification is being presented in real-time by using a unique challenge-response.
• Combine technologies and threat intelligence so as to be able to detect, respond to and mitigate threats on your verification systems. This managed detection and response system must include:
• Ongoing monitoring.
• Incident response.
• Proactive threat hunting.
• Leveraging of specialized knowledge.
• The skills to reverse engineer potential attack scenarios.
• The ability to proactively build defenses to mitigate them.

“This multi-layered approach makes it exponentially more difficult for attackers to successfully spoof identity verification systems,” IProov said, “regardless of their level of sophistication. Even advanced attacks struggle to simultaneously defeat all these security measures while maintaining the natural characteristics of genuine human interaction.”

Attackers Can Already Bypass Facial Biometrics Liveness Detection—No Dark Web Involvement Required

Researchers at threat intelligence and security experts Group-IB have already demonstrated that liveness detection in facial biometrics is no longer a verification gold standard. Researchers at threat intelligence and security experts Group-IB have already demonstrated that liveness detection in facial biometrics is no longer a verification gold standard. The Group-IB research revealed how attackers had used AI-generated deepfake images to bypass biometric verification systems, in a real-world case study involving a prominent Indonesian financial institution, which included being able to get around the liveness detection protections. “Leveraging advanced AI models,” Yuan Huang, a cyber fraud analyst with Group-IB, said, “face-swapping technologies enable attackers to replace one person’s face with another’s in real time using just a single photo.” This not only creates an illusion of legitimate identity of an individual in the video but, Huang continued, “these technologies can effectively deceive facial recognition systems due to their seamless, natural-looking swaps and the ability to convincingly mimic real-time expressions and movements.The use of virtual camera software and manipulating biometric data using pre-recorded videos that mimic real-time facial recognition also played a part, The use of app cloning further enabled the fraudsters to simulate multiple devices, highlighting vulnerabilities in traditional fraud detection systems.

Advice For Consumers Thinking About Selling Their Face And Documents, On The Dark Web Or Not—Don’t

Do I really need to add this? Well, I’m going to anyway: If you are approached by anyone, knowingly from the dark web or, more likely not, offering you cold, hard cash in exchange for your image and copies of your identity documents, don’t do it. No matter how much the short-term incentive, it could just as quickly turn into a very costly mistake.