New research documents Impersonation-as-a-Service (IMPaaS) as an emerging threat where profiles of victim users are available to be used in campaigns where impersonation is critical.

It’s not every day you hear about a new “aaS” in the world of cybersecurity. We’ve seen lots of service-oriented offerings in the world of ransomware, and even been made aware of those focusing on launching phishing attacks. But to hear that impersonation is now a service offered to the bad guys is seriously disturbing. Cybersecurity PhD-candidate Michele Campobasso discusses the reality of IMPaaS in his publication, Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale. In it, he discusses a now defunct website – IMPaaS [dot] ru – that was offering “hundreds of thousands” of compromised victim “profiles”. These profiles included user credentials, cookies, device and behavioral fingerprints, and other metadata to “circumvent risk-based authentication system and effectively bypass multi-factor authentication mechanisms.”

In essence, a cybercriminal could purchase an account of an individual at a particular company, in a certain vertical, having a specific job title or function, etc. and take over as that person – not just on email, but be able to even access resources secured behind MFA!

We’ve talked about impersonation before, but it’s always been in the context of just using a person or company name or, at best, spoofing a lookalike domain name. But in the case of IMPaaS, it’s now been proven that the bad guys have a means to collect enough data, files, and credentials on a given victim to allow an attacker to pose as that victim when engaging in future malicious activity.

This should terrify organizations – the thought that you won’t be able to tell that it’s not the actual person means all security solutions are rendered useless. The only last defense against an attack that would leverage this level of impersonation is Security Awareness Training, which can teach a user to be wary of unusual requests, even when it (supposedly) comes from a known individual.