Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
June 16, 2017, Mike Browning
Also by Steve Ginty
The threat actor group Turla is leaving behind breadcrumbs in the form of trackers. Infamous for their targeted attack campaigns aimed at visitors of foreign affairs, embassy, and visa and passport websites in 2016, research shows Turla continues to execute watering hole campaigns against those same visitors.
Visitors of these websites, many of which are listed in the riskIQ PassiveTotal Public Project dedicated to Turla, are redirected to malicious command and control servers because of a code snippet added to the original page inserted by the threat actor. According to a recent WeLiveSecurity post, attackers added a reference to Clicky, a real-time web analytics framework, to compromised pages. This tracking code (ClickyId100673048) acted as a cover for the appended script, making it appear legitimate to cursory or novice examination.
When investigating attack campaigns like this, every piece of information is important for tracking down and stopping threats against your organization. Below, you can see the Clicky ID inside RiskIQ PassiveTotal. By clicking on one of the domains inside the Public Project, www.namibianembassyusa[.]org, and pivoting on the “trackers” data set, you can see the rest of the domains compromised by Turla leveraging the same tracker:
Fig-1 Compromised domains linked by the ClickyID used by Turla
Many hacking organizations beyond Turla utilize tools like Clicky and Google Analytics (which Turla has also used) not just to mask or legitimize their malicious code, but also to measure the success of their campaigns, just like legitimate organizations do.
For example, often when a website’s HTML is scraped and reposted for something like a phishing campaign, malicious actors don’t bother to change things like the associated Google Analytics ID, tracking pixels, cookies, or social networks connections. Being able to search official tracking codes can surface pages where the threat actor has forgotten to change this information, leading to security teams finding and shutting down a malicious campaign.
In addition to using your trackers to find phishing pages, once you have identified attacker-owned infrastructures such as the domains and IPs they’re using to serve phishing pages, you can then check to see if they have implemented trackers of their own. By knowing this information, you can see other instances across the internet where we saw the same malicious actor’s analytics tracker and uncover additional campaigns associated with them.
These values can provide insights into additional infrastructure that typically goes unnoticed by static data sets. RiskIQ gathers the full DOM during the loading process of pages that we crawl. We extract details such as website trackers, analytics codes, social network accounts and other unique details. These values can provide insights into additional infrastructure that typically goes unnoticed by static data sets. RiskIQ has data about trackers from includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky, and more.
To start pivoting on these data sets for yourself, try RiskIQ PassiveTotal Community Edition for free by visiting https://www.riskiq.com/community/.