Description
This detector identifies situations where the browser-reported hardware characteristics associated with a user deviate from their established historical profile. Rather than relying on static identifiers such as MAC addresses or serial numbers, detection is based on the browser fingerprint—a composite of hardware and system attributes exposed through the browser runtime.
The browser fingerprint provides a stable view of the device environment across sessions and includes attributes such as:
Operating system and architecture
A user with a consistent history of accessing applications from macOS systems running Apple Silicon (for example, M1, M2, or M3 architectures) suddenly appears on a Windows-based device with an Intel processor.
Screen resolution and display characteristics
A shift from a high-density display profile, such as a Retina-class screen commonly used by macOS laptops, to a standard 1080p non–high-DPI display.
Hardware concurrency
Changes in the number of logical CPU cores reported by the browser, such as moving from a multi-core workstation profile (for example, 12 logical cores) to a minimal configuration (for example, 2 logical cores).
These changes are evaluated in the context of the user’s historical access patterns rather than as isolated signals.
Relevance to Social Engineering Attacks
In social engineering and account compromise scenarios, attackers almost always operate from their own attack infrastructure rather than the victim’s physical device. Even when credentials or session artifacts are stolen, replicating the victim’s exact hardware profile is difficult.
Common attack-related patterns include:
Detection of device hand-off events
When credentials or session tokens are stolen, attackers must access the account from their own device. While network-level indicators such as VPN usage can be manipulated to match the victim’s location, the underlying hardware profile typically differs in observable ways.
Session hijacking identification
If a valid session cookie is reused on a different browser or machine, the hardware-related components of the browser fingerprint change abruptly. This mid-session shift triggers a device mismatch even when authentication appears successful.
Examples of Detected Tooling and Techniques
This detector is effective against tools and techniques commonly used to imitate or reuse legitimate device profiles, including:
Anti-detect and fingerprint spoofing browsers
Platforms such as Linken Sphere or GoLogin that allow attackers to manually configure or approximate device characteristics in an attempt to resemble a target user.
Infostealer-enabled environment replication
Malware families such as RedLine that harvest browser fingerprints and session data, enabling attackers to attempt reuse of credentials or sessions from a different physical device.