The Evolving Cybercriminal Market Has Given Birth to Impersonation-as-a-Service as Attackers Seek to Impersonate at Scale



Cybercriminal Market Impersonation as a ServiceNew research documents Impersonation-as-a-Service (IMPaaS) as an emerging threat where profiles of victim users are available to be used in campaigns where impersonation is critical.

It’s not every day you hear about a new “aaS” in the world of cybersecurity. We’ve seen lots of service-oriented offerings in the world of ransomware, and even been made aware of those focusing on launching phishing attacks. But to hear that impersonation is now a service offered to the bad guys is seriously disturbing. Cybersecurity PhD-candidate Michele Campobasso discusses the reality of IMPaaS in his publication, Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale. In it, he discusses a now defunct website – IMPaaS [dot] ru – that was offering “hundreds of thousands” of compromised victim “profiles”. These profiles included user credentials, cookies, device and behavioral fingerprints, and other metadata to “circumvent risk-based authentication system and effectively bypass multi-factor authentication mechanisms.”

In essence, a cybercriminal could purchase an account of an individual at a particular company, in a certain vertical, having a specific job title or function, etc. and take over as that person – not just on email, but be able to even access resources secured behind MFA!

We’ve talked about impersonation before, but it’s always been in the context of just using a person or company name or, at best, spoofing a lookalike domain name. But in the case of IMPaaS, it’s now been proven that the bad guys have a means to collect enough data, files, and credentials on a given victim to allow an attacker to pose as that victim when engaging in future malicious activity.

This should terrify organizations – the thought that you won’t be able to tell that it’s not the actual person means all security solutions are rendered useless. The only last defense against an attack that would leverage this level of impersonation is Security Awareness Training, which can teach a user to be wary of unusual requests, even when it (supposedly) comes from a known individual.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat-request-a-demo

Subscribe To Our Blog


Ransomware Hostage Rescue Manual




Get the latest about social engineering

Subscribe to CyberheistNews