External Threat Management

How Do Consumers View Spending and Safety for Online Shopping this Holiday Season? We Took a Look.

E-commerce has the potential to break records this year, with extraordinary circumstances funneling more shoppers to digital outlets than ever before. Due to COVID-19, eMarketer projects a 10% fall in overall holiday sales but a 17% rise in e-commerce sales, and Deloitte projects a continued increase in retail sales over last year's figures. The latter forecasts that e-commerce sales could rise by as much as 35% due to limited in-store retail options.

At RiskIQ, we cannot help but view this uptick in digital spending for what it presents: more opportunities for cybercriminals to take advantage of increased e-commerce activity. RiskIQ researchers have tracked evolutions in Magecart digital credit card skimming infrastructure leading up to the holiday shopping season. Meanwhile, RiskIQ systems detect one phishing domain and five domain infringement events every minute. These numbers are expected to rise for e-commerce brands as the holiday shopping season continues to ramp up. 

But how does this extremely active threat landscape affect shoppers? 

Continue Reading
External Threat Management

A New Grelos Skimmer Reflects the Depth and Murkiness of the Magecart Ecosystem

As security researchers shine more light on the world of Magecart, we see that this vast card-skimmer underworld is more and more intertwined and connected. As we draw these parallels between different attacks, skimmers, and other infrastructure, many things become more transparent, like which groups are responsible, how they target their victims, and how their tooling evolves. Just last week, RiskIQ published a report tying the ubiquitous 'Ant and Cockroach' skimmer to Magecart Group 12, which indicated just how far-reaching the group's infrastructure and activity have become. 

However, as more of the Magecart landscape comes to the surface, things also get more murky and complicated. In many recent Magecart compromises, we've seen increasing overlaps in infrastructure used to host different skimmers that seem to be deployed by unrelated groups using various techniques and code structures. We also observe new variants of skimmers reusing code seen in the past. For instance, the compromise of boom! Mobile involved the Full(z) House skimmer hosted on infrastructure not previously associated with Full(z) House. This same infrastructure hosted skimming domains we observed loading other skimmers, including different versions of the grelos skimmer. This pattern may indicate that different skimming groups use the same infrastructure to host their skimming domains, possibly purchasing hosting services from the same third party. 

Continue Reading
External Threat Management

RiskIQ Microsite Will Help Battle Holiday Shopping Threats

Deloitte expects holiday e-commerce sales to amount to $182 billion to $196 billion this year, increasing by 25% to 35%, compared with year-over-year growth online of 14.7% in 2019. With this surge in online holiday shopping due to COVID-19, malicious actors will be looking to capitalize. 

RiskIQ now detects one phishing domain and at least five domain infringement events every minute, with those numbers expected to increase for e-commerce brands as the holiday shopping season continues to ramp up. In response, RiskIQ announced its new Holiday Shopping Microsite, a free, one-stop cybersecurity resource center that tracks and reports new web hosts and domains that leverage holiday shopping events, including Black Friday, Cyber Monday, and Cyber Week. 

The site will serve as an authoritative source of intelligence that security practitioners can use to block and investigate holiday shopping scams as they increase on an unprecedented scale. Already, RiskIQ’s systems have observed 10,727 instances of new holiday shopping infrastructure stood up in advance of Black Friday and Cyber Week since November 1.

Continue Reading
External Threat Management

Attack Surface Management Requires Deep Intelligence Both Inside and Outside the Firewall

Businesses are undergoing a digital transformation demanding rapid migration to the cloud and expanded adoption of web, mobile, and social platforms. These initiatives are expanding organizations' digital presence far beyond their internal network, exposing the limitations of network security controls like firewalls, DLP, and network monitoring. According to the Verizon Data Breach report, external-facing web applications, into which network security tools lack visibility, comprised the vector category most commonly exploited in hacking-related breaches. 

This transformation was already challenging long-held views of cybersecurity when it was sent into hyperdrive by COVID-19. Almost overnight, workforces and business operations were decentralized and flung all over the world even farther than before, widening protection gaps and turning security protocols on their heads.

This digital transformation has grown the enterprise digital attack surface and dramatically broadened the spectrum of threats and vulnerabilities that can affect the average organization. Sophisticated APTs and petty cybercriminals alike threaten businesses' safety, targeting their data, brand, IP, systems, and people. Today, 375 new threats emerge each minute

Continue Reading
External Threat Management

Stop Thinking of Cybersecurity as a Problem. Think Of It As a Game.

OVID-19 changed the rules of the game virtually overnight.

The news has covered the broader impacts of the pandemic, particularly the hit to our healthcare, the drops in our economy, and the changes in education. But when a massive portion of our workforce was sent home, and companies moved operations online, no one thought about how vulnerable to cyberattacks those companies had now become. The attack surface had changed, giving malicious actors new inroads that no one had previously watched out for.

The thing is, cybersecurity isn't a battle that's ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won't find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it's on organizations to protect these digital assets. 

COVID may have changed the rules, but the game is still on. Despite the security threat, this pandemic may have caused a massive opportunity for companies — if they're willing to take it.

Continue Reading
External Threat Management Labs Analyst

RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when they're needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. 

However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions. 

To do our part, RiskIQ released the entirety of the infrastructure related to the Ryuk strain of ransomware collected by RiskIQ's Internet Intelligence Graph.

Continue Reading
External Threat Management Analyst

RiskIQ Brings Microsoft’s Security Solution Suite to RiskIQ PassiveTotal

In incident response, speed and visibility are everything, but they can’t be achieved without a 360-degree view of your attack surface. 

RiskIQ PassiveTotal now integrates directly with Microsoft Defender and Azure Sentinel, bringing Microsoft Defender endpoint telemetry and Azure Sentinel alert data directly to the PassiveTotal threat hunting platform. This combination of RiskIQ and Microsoft data enriches threat infrastructure to show pertinent SIEM alerts and endpoint details alongside RiskIQ's rich Internet intelligence to speed up and supercharge investigations. 

RiskIQ and Microsoft joint customers can enable integrations for both Microsoft Defender and Azure Sentinel separately in their organization's account settings in RiskIQ PassiveTotal. Once enabled, analysts can pivot across RiskIQ data during an investigation to understand all the related infrastructure affecting impacted endpoints or existing security tickets. 

Continue Reading
External Threat Management Labs

RiskIQ Surfaces Domain Impersonation Targeting Saudi Government Ministries

Recently, RiskIQ's suspicious domain classifier surfaced several Google analytics typosquatting domains. One, in particular, led RiskIQ's research team to a phishing campaign impersonating Saudi Arabian government websites.

Based on infrastructure overlap in RiskIQ's Internet Intelligence Graph, our researchers determined that the campaign is connected to a previous research report from March of 2019, which outlined a phishing campaign against the Saudi Arabian government it dubbed Bad Tidings. According to the research—and corroborated by RiskIQ's data—the Bad Tidings campaign dates as far back as 2017.

Analysis of the new infrastructure found by RiskIQ appears to be a follow-on to the Bad Tidings campaign and has been ongoing since the middle of 2019. Based on our analysis of the domain infrastructure used in this new crop of attacks, the attackers appear to be impersonating several organizations, including the Saudi ministries of the interior, foreign affairs, and labor and social development. They are also impersonating the Enjazit e-visa platform and the Absher mobile app, which allows Saudi citizens to access government services. 

Continue Reading
Labs Analyst

What a Custom OceanLotus SSL Certificate Can Tell Us About Their Windows C2 Operations

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

Continue Reading