The Cookie Data Set in RiskIQ PassiveTotal is Fresh from the Oven

Fresh from the Oven: Cookie Data Set in RiskIQ PassiveTotal

May 25, 2017, Team RiskIQ

mm

The cookie data set in RiskIQ PassiveTotal is fresh from the oven.

When most people hear the word cookies, they imagine fresh-baked confectionary treats. Here at RiskIQ however, we think of web crawling, browser sessions and most importantly, data! After several weeks of testing, we are finally happy to release a new data set into PassiveTotal— cookies.

For those not familiar with web cookies, they are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain state for the application or little bits of tracking data. In previous blog posts, we’ve highlighted how RiskIQ crawlers work and noted that cookies were one of the many data items we collect and store. With this new data set inside of PassiveTotal, analysts can now make connections using this cookie data.

Let’s take a real-world example to show the value this new data set can bring to your threat investigations. Several months ago, Forcepoint blogged about several legitimate websites that appeared to be compromised by suspected Russian actors. Viewing the various indicators inside of PassiveTotal showed linkages to the known malicious command and control servers through our “Host Pairs” data set (Figure-1).

The cookie data set in RiskIQ PassiveTotal is fresh from the oven. Now, analysts can start making connections with cookie data collected by RiskIQ.

Figure-1 Pivoting on a malicious indicator shows several legitimate websites as parent references in the host pair data, including www.mentalhealthcheck[.]net

While testing out our new cookie data set, we revisited several PassiveTotal public projects to see if we could find anything interesting. In viewing some of the websites compromised by the Russian actors, we observed an interesting cookie artifact (Figure-2).

The cookie data set in RiskIQ PassiveTotal is fresh from the oven. Now, analysts can start making connections with cookie data collected by RiskIQ.

Figure-2 Cookie results from one of the compromised websites

Contained within the search results were two similarly named cookies, “PHPSESSID” and “PNPSESSID.” PHPSESSID appeared to be linked to the legitimate website properties, while the PNPSESSID only showed up on properties known to be associated with malicious actors. From our observations, it appears that the Russian actors not only compromised the websites to profile visiting users but also deployed cookies to visitors to track them in more detail.

Knowing that the PNPSESSID cookie was used with malicious infrastructure, it makes a great pivot point within PassiveTotal. Clicking on the name of the cookie will run a search for any other web property that’s been seen delivering a cookie with the same name (Figure-3).

The cookie data set in RiskIQ PassiveTotal is fresh from the oven. Now, analysts can start making connections with cookie data collected by RiskIQ.

Figure-3 Pivoting on the cookie name reveals other malicious properties

Contained within the results are several compromised websites and the subsequent malicious websites that were contained within the cookie path. As one would expect, many of the indicators found via this connection were already known due to host pairs and open source reporting. However, one indicator, “www.ustravelbrokers.com” was discovered that had not been previously mentioned. If it weren’t for the cookie data set, this indicator might have gone unnoticed by analysts.

Adding yet another data set to PassiveTotal ensures we continue to leave adversaries with no place to hide. In this case, tracking of users helped the actors keep tabs on who was targeted and who wasn’t, but it also acted as a way to correlate all the malicious infrastructure. We’re excited to hear how other analysts use this data set and want to hear if you find anything interesting. If you have a story to share, send it over to feedback@www.riskiq.com.

Share: