Buying login data through the Genesis Store was, for a long time, largely possible through a malware strain called AZORult. Ninety percent of acquired credentials would be captured using that specific malware, after which Google took action: with Chrome 80, the malware will no longer work.
Research carried out by security firm KELA showed that Genesis has seen a considerable reduction in the amount of log-in data on offer. The online store where captured data is traded had been under KELA’s microscope for some time after Kaspersky revealed the existence of the platform in early 2019.
The Genesis Store sells login data under the name ‘fingerprints’, since much more than just a login name and password is purchased: the Genesis Store stores all captured data under a personal profile and that ID is offered. KELA delved deeper into the origins of these IDs and managed to trace the majority (ninety percent) of profiles back to a single malware string: AZORult.
With the introduction of Chrome 80, Google switched to the AES-256 algorithm: passwords are stored in a different way so that AZORult is no longer able to retrieve the login data from Chrome. Since the source code for the malware is also no longer available (the creator threw in the towel at the end of 2018), it is also not possible to quickly adapt AZORult to bypass Google’s new algorithm.
A victory for Google and browser users, but AZORult was only one supplier of one illegal web shop. Malware that is still actively tracked by its creators, such as the Raccoon infostealer, came to Chrome 80 the day after the update of Google, with an update that did respond to the new algorithm.