The concept behind the Genesis Store is simple, provide a package of compromised account data to a threat actor that allows them to completely impersonate a user. Their approach also helps bypass solutions that are focused on detecting fraudulent activity. As an added bonus, the marketplace created a browser plugin that instantly loads a purchased bot, priced around $2.00 a piece and increases up to $200 based on the mix of passwords, cookies, and other user data within the package.
When it comes to the channel, this can be a chilling mix of access and nightmarish outcomes. In a single purchase, credentials linked to the technology stack of an MSP can be loaded allowing access to push ransomware across their clients and delete their backups. It’s vital that partners have multi-factor authentication enabled to help mitigate this scenario from playing out.
However, having email accounts being part of the purchased bot, including personal accounts where recovery addresses may be setup, further drives home the need to properly secure all of your accounts. Both work and personal accounts are fair game to these threat actors as they see no separation.
Datto has been tracking this group and the frequency of compromised users with Datto accounts is picking up. When we have enough information to identify the affected Datto account, we have been able to proactively notify customers. As a commitment to our partners, we will continue to track these marketplaces and protect the channel the best we can.