Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
May 25, 2017, Team RiskIQ
The cookie data set in RiskIQ PassiveTotal is fresh from the oven.
When most people hear the word cookies, they imagine fresh-baked confectionary treats. Here at RiskIQ however, we think of web crawling, browser sessions and most importantly, data! After several weeks of testing, we are finally happy to release a new data set into PassiveTotal— cookies.
For those not familiar with web cookies, they are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain state for the application or little bits of tracking data. In previous blog posts, we’ve highlighted how RiskIQ crawlers work and noted that cookies were one of the many data items we collect and store. With this new data set inside of PassiveTotal, analysts can now make connections using this cookie data.
Let’s take a real-world example to show the value this new data set can bring to your threat investigations. Several months ago, Forcepoint blogged about several legitimate websites that appeared to be compromised by suspected Russian actors. Viewing the various indicators inside of PassiveTotal showed linkages to the known malicious command and control servers through our “Host Pairs” data set (Figure-1).
Figure-1 Pivoting on a malicious indicator shows several legitimate websites as parent references in the host pair data, including www.mentalhealthcheck[.]net
Figure-2 Cookie results from one of the compromised websites
Contained within the search results were two similarly named cookies, “PHPSESSID” and “PNPSESSID.” PHPSESSID appeared to be linked to the legitimate website properties, while the PNPSESSID only showed up on properties known to be associated with malicious actors. From our observations, it appears that the Russian actors not only compromised the websites to profile visiting users but also deployed cookies to visitors to track them in more detail.
Knowing that the PNPSESSID cookie was used with malicious infrastructure, it makes a great pivot point within PassiveTotal. Clicking on the name of the cookie will run a search for any other web property that’s been seen delivering a cookie with the same name (Figure-3).
Figure-3 Pivoting on the cookie name reveals other malicious properties
Contained within the results are several compromised websites and the subsequent malicious websites that were contained within the cookie path. As one would expect, many of the indicators found via this connection were already known due to host pairs and open source reporting. However, one indicator, “www.ustravelbrokers.com” was discovered that had not been previously mentioned. If it weren’t for the cookie data set, this indicator might have gone unnoticed by analysts.
Adding yet another data set to PassiveTotal ensures we continue to leave adversaries with no place to hide. In this case, tracking of users helped the actors keep tabs on who was targeted and who wasn’t, but it also acted as a way to correlate all the malicious infrastructure. We’re excited to hear how other analysts use this data set and want to hear if you find anything interesting. If you have a story to share, send it over to email@example.com.