Analyst Interesting Crawls

Linking Infrastructure from Phishing Data Exfiltrations

Phishing is still one of the most relentless and quickly evolving online threats facing today's businesses.

At RiskIQ, we process tons of web-related threat data, including phishing incidents. From various sources, we receive URLs which may be indicative of phishing, examine the pages with our web-crawling infrastructure, which experiences them as a real user would, and feed the data it collects through our machine-learning technology to classify each detected phishing page appropriately.

Phishing pages' infrastructure usually takes two forms: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else. Below is an instance of a phishing page for email involving the latter. It's somewhat generic, but an excellent example of something commonly leveled against businesses: 

Phishing is still one of the most relentless threats facing today's businesses. We process tons of web-related threat data, including phishing incidents

Fig-1 Phishing page

Looking through some sources online, I dug up some additional instances of this phishing kit:

Continue Reading
Labs Analyst

New Attacks on Mew: Phishing MyEtherWallet Via Native Web Views on Android

Last week, we published an extensive report on MEWKit, a phishing ATS targeting visitors of MyEtherWallet (MEW) in elaborate ways—including resorting to a BGP hijack. But threats to users of MyEtherWallet aren’t a new thing by any means—phishing pages targeting the cryptocurrency platform, while not as sophisticated as MEWKit, have been going around for a very long time. In this blog, we’ll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

The Lure

Cybercriminals are always thinking of new methods by which to perform their attacks. In the case of phishing, they come up with innovative ways of convincing victims that their website or, in this case, mobile app, is legitimate. New attacks leveraging MyEtherWallet are using messages on social media and posts on forums to spread illegitimate clones of the MyEtherWallet site, which is not a new tactic in and of itself, but something that has never been seen targeting MyEtherWallet users. In this attack, an actor sets up a fake Telegram group, supposedly for MyEtherWallet and its support team, to spread false messages. In fact, searching for MyEtherWallet on Telegram would surface a group with over nine thousand subscribers:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-1 The actor-created Telegram group

The operator of this group forwarded the tweets sent from the official MyEtherWallet twitter account to the group, with one additional message—that there's a new MyEtherWallet client for Android. The general messaging in the group looked like this:

Continue Reading
Labs Analyst Interesting Crawls

SpeedFlash and ScrnSize: Fake Flash Updates with a Side of Domain Shadowing

Fake Flash download pages have come to be a marker for all manners of malicious activity. We’ve seen it in conjunction with exploit kits, banking Trojans, watering hole attacks, malvertising, adware, phishing, digital currency miners, and multitudes of other digital threats. Often, there are traffic distribution systems or other means of traffic filtering upstream of these sites and many campaigns use decoy sites to which they dump unwanted traffic rather than serving up the malicious payload.

Today, we’ll be looking at a redirection sequence that brings many of these malicious tactics together, showing evidence of a campaign that uses fingerprinting and filtering, domain infringement, domain shadowing, indicators of cookie tracking, and malicious downloads using fake Flash. From one redirect, we were able to uncover thousands of artifacts pointing to a more extensive malicious campaign preying on potentially thousands of victims.

Digging In

Below is a typical redirection sequence from this particular malicious campaign leading from an initial fingerprinting and redirection page to a page serving fake Flash to a “speed test” decoy page:

Fig-1 Sequence leading from fingerprinting page a page serving fake Flash which redirects to a speed test decoy page.

Continue Reading
External Threat Management Analyst

WHOIS Is Changing And So is GDPR: Here’s How It Could Impact Analysts

GDPR is now less than 30 days away, and while businesses are scrambling to ensure they are compliant, another discussion is happening within the information security space amongst analysts—what’s going to happen to WHOIS? Greatly celebrated for its ability to form connections and break open cyber threat investigations, it’s not completely clear if WHOIS will go away entirely due to GDPR, but one thing’s for sure, it won’t remain what it is today.

For anyone who’s not been following the ICANN news or registrar changes, the concept of losing WHOIS may come as a surprise. The reason regulators have their sights on WHOIS centers around the changes to what’s considered personal or private information by GDPR. WHOIS—commonly thought of as the phone book of the Internet—serves as a registry of personal information for those who’ve registered domains on the Internet; available to anyone for query and considered a big leak of privacy.

To the casual observer, it makes sense to remove WHOIS from the public or at the very least, hide data deemed personal, but in doing so, these changes make it difficult for cyber threat analysts to differentiate between legitimate, compromised, and malicious domains. Additionally, without point-of-contact information for a domain owner, it’s even more difficult to communicate when a website may be compromised or infringing on a company’s trademarks or brand.

While businesses are scrambling to ensure they are GDPR compliant, another crucial discussion is happening––what’s going to happen to WHOIS?

Fig-1 Example of an unobfuscated WHOIS record

Some of you may be thinking to yourself, “well, my domain is privacy protected, doesn’t that already hide contact details?”, and the answer is yes. Over the past couple of years, analysts have seen a rise in the use of privacy protection services which ultimately render the analytical content of the WHOIS record less useful, but this is not the norm for all the tens of thousands of domains being registered every day.

Continue Reading
External Threat Management Analyst

We’ve Been Busy! Announcing New RiskIQ PassiveTotal Enhancements

The RiskIQ PassiveTotal Engineering team has been busy over the past few weeks on the tool that concerns external threats, attackers, and their related infrastructure, and we are excited to announce some product enhancements that should improve the overall user experience and make conducting investigations and accessing RiskIQ intelligence even easier.

Show Me The Data!

Fig-1 Performance loading data

You have hundreds of alerts to get through, and we know every second counts. That’s why we’ve focused on performance loading data as it streams into the platform for faster assessments of actor infrastructure and a more consistent experience every time.

Project Overhaul

Continue Reading

Web Crawling Data Brings Compromised Infrastructure to the Surface

On November 6, 2017, cyber security company Volexity released a blog post highlighting an espionage campaign targeting ASEAN nations via compromised websites and typosquatting infrastructure. The campaign is believed to be linked to the OceanLotus Group, also known as APT 32, which has carried out targeted attacks against foreign governments, private companies, and journalists and dissidents—potentially on behalf of Vietnam. Because the group used compromised web infrastructure as its avenue of attack, RiskIQ’s global network of web crawlers yielded data that gave greater context around its campaign by shedding light on its scope and scale, including more than 140 compromised parent websites.

This data, which can be found in RiskIQ Community Edition, added several new layers to the investigation below.

Diving Into OceanLotus

Examining the associations between the infrastructure identified by Volexity and RiskIQ’s web crawling data available in RiskIQ Community Edition, we can surface connections that indicate that the campaign has been active since at least February of 2016. Investigating this malicious infrastructure for redirection sequences, links, and dependent requests in RiskIQ’s Host Pair data shows that the malicious domain ad[.]adthis[.]org has a script association to danchimviet[.]info, an online Vietnamese newspaper first seen by RiskIQ on February 1, 2016:

RiskIQ’s global network of crawlers yielded data that gave greater context around the OceanLotus campaign by surfacing on more than 140 compromised sites.

Fig-1 Host Pair data showing connection to a Vietnamese Newspaper

Continue Reading
External Threat Management Analyst

Threat Analyst Using RiskIQ PassiveTotal: A Day in the Life

John is a tier-two threat analyst on a SOC team that consists of five analysts. John, whose team works for a public sector organization, uses RiskIQ PassiveTotal daily to aid his investigations of indicators of compromise (IOCs) with minimal false positives during incident response.

The team leverages the relationships between the highly connected data collected by RiskIQ inside the RiskIQ PassiveTotal platform, pivoting on its unique data sets to surface new connections, group similar attack activity, and substantiate assumptions for each IOC.

However, John's team did not always use RiskIQ PassiveTotal.

Once upon a time, they used a manual, highly segmented workflow comprised of a cocktail of different tools. According to John, below is an example of what a typical incident response might have looked like for him in the pre-PassiveTotal days. We will use an IP from a recent event in which the Lazarus Group attacked Polish banking establishments as the example.

The IP 109[.]164[.]247[.]169 is flagged through IDS.

Continue Reading
External Threat Management Analyst

Infrastructure Chaining Surfaces NSO Group Connections in Cyber Attack

As part of our research process, RiskIQ uses open source indicators paired with our internet data sets to surface more connections that may be relevant to defenders. When the Citizen Lab published new research exposing abuse against civil society in Mexico—including journalists and reporters— using tools created by the NSO Group, I was able to apply infrastructure chaining in RiskIQ PassiveTotal to build off of artifacts identified in the report.

Contained within the Citizen Lab report are ten domains we can use as a starting point for research. In conducting searches within PassiveTotal, we observed several overlapping details within WHOIS records and one key IP address. Using the WHOIS record from fb-accounts[.]com, we have some viable pivot points with which we can identify more connections.  

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-1 WHOIS record for fb-accounts[.]com with viable pivots highlighted


Using just the email of as an example, we not only identify never-before classified infrastructure, but we also see infrastructure previously reported on and associated with the NSO Group from the Citizen Lab.

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-2 Pivot results from the email address used to register fb-accounts[.]com reveals overlap with previously known NSO Group infrastructure and never-before-seen domains


Continue Reading
External Threat Management Analyst

Tracking Turla: What We Can Learn from a Clicky ID

Also by Steve Ginty

The cyber threat actor group Turla is leaving behind breadcrumbs in the form of trackers. Infamous for their targeted attack campaigns aimed at visitors of foreign affairs, embassy, and visa and passport websites in 2016, research shows Turla continues to execute watering hole campaigns against those same visitors.

Visitors of these websites, many of which are listed in the riskIQ PassiveTotal Public Project dedicated to Turla, are redirected to malicious command and control servers because of a code snippet added to the original page inserted by the cyber threat actor. According to a recent WeLiveSecurity post, attackers added a reference to Clicky, a real-time web analytics framework, to compromised pages. This tracking code (ClickyId100673048) acted as a cover for the appended script, making it appear legitimate to cursory or novice examination.

The WeLiveSecurity post says this script calls another script, a server used to collect information about the system on which it's running. This attack then distributes this "fingerprinting" JavaScript to targets by filtering visitors using an IP range. If they are within the targeted IP range, they receive the fingerprinting script.

When investigating attack campaigns like this, every piece of information is important for tracking down and stopping cyber threats against your organization. Below, you can see the Clicky ID inside RiskIQ PassiveTotal. By clicking on one of the domains inside the Public Project, www.namibianembassyusa[.]org, and pivoting on the “trackers” data set, you can see the rest of the domains compromised by Turla leveraging the same tracker:

Continue Reading