Browser makers are implementing features that prevent sites from tracking users through various technologies, particularly encryption in HTTPS and TLS. Hackers of the dark kind, however, love to play this game of cat and mouse with security experts and software developers. A particularly notorious group hailing from Russia is proving that by turning the tables on browser makers. They are using the very same technologies Chrome and Firefox use for secure browsing, these hackers are modifying these web browsers on the fly to keep tabs on users and circumvent those privacy features.
There is almost a certain sense of irony to this covert attack reported by Kaspersky Labs. The hackers have managed to find a way to modify web browsers so that TLS traffic that are designed to be secure and private will carry a unique fingerprint that identifies users and their computers. In other words, these compromising fingerprints piggyback on the very technology used to protect users from spying and eavesdropping.
The way these hackers are able to accomplish this is, however, almost frightening. It patches installers for Google Chrome and Mozilla Firefox to modify the browsers to include that special fingerprinting function. Kaspersky has been unable to pinpoint how and when the hackers are able to make that modification but considering the installers come from legit sources, the hackers may be doing it on the fly while the installers are being downloaded.
That’s a rather tall order for some hacker as it implies having compromised Internet service providers and networks. That, however, may not be so difficult for a hacker group known as Tulsa. The cyber-espionage group is known for having ties to the Russian government and has been involved in several ISP hacking incidents.
Strangely enough, this malware known as Reductor isn’t being used to actually decrypt users’ encrypted traffic, something theoretically trivial considering the malware has already been installed on the computer. Instead, it might simply be a way to covertly track users’ web activity in the event that Reductor has been identified and removed while keeping web browsers intact.