Domain Shadowing: Shadowed Domains Lead to Neutrino EK

Much like a roofing company chasing a hail storm, when there's a heavily publicized event, a cyber attacker will take advantage of it to seek out new victims. Therefore, cybersecurity professionals should also follow headlines when they hunt for opportunistic threat activity.

Because of the current political news, I searched for a presidential candidate's name (perhaps you've heard of her?) within our data and stumbled across a Neutrino Exploit Kit landing page. Combining the click-enticing appeal of hot-button political headlines with the perimeter-piercing capability of domain shadowing, this example had all the makings of a successful payload delivery.

This particular crawl was flagged by RiskIQ's system at multiple stages, including the ad server—which was potentially hacked, the malicious redirector, and the Neutrino EK landing page. You can view the details for each stage via the following links:

Possibly Hacked Ad Server>
Malicious Redirector>

Continue Reading

It’s a Bird! It’s a Plane! It’s a Direct IP Request!

Look at it go!

Ok, not as cool as Superman, but direct (naked) IP requests are something you should definitely think about while protecting your company from a preventive or detect-and-respond perspective.

What are direct (naked) IP requests?

Although the routable IPv4 address space is finite, using IP addresses only would be like trying to remember the phone number of everyone in your contacts list if it contained the population of Earth several times over. So it begs a few questions: why would someone hard code an IP address into a request? Did the destination site developer figure they would never have to change IP addresses? Did they assume easy-to-remember FQDNs were a waste? Did they not have a contingency plan in the event of an unintentional disruption?

The answer to all of the above questions is, of course, no—DNS prevents the need for internet users to have superhuman memory, and domain names are little to no cost these days. That's why, as an infosec researcher, when I hear folks are dropping a proxy server or next-generation perimeter device in line and allowing direct IP addresses to egress with little to no inspection, I give them the "I'm not mad, I'm just disappointed" talk.

Continue Reading

When Phishing Makes You Pay

There are several types of phishing—email, SMS, website, a phone call, or chat program—but phishing's purpose is always the same: separate an unsuspecting victim from money or sensitive or personally identifiable information (PII). In this post, I'll showcase what we see within our RiskIQ Phishing application when identifying a phishing threat. In the image below, you'll see a phisher targeting users of a well-known payments system via a fake login page. On the left is the fraudulent version, on the right you'll see the legitimate.

Phisher (left) viewed safely within RiskIQ Phishing application and the real login page (right) comparison

Fig-1 Phisher (left) viewed safely within RiskIQ Phishing application and the real login page (right) comparison

To see the phishing page shown in (Fig-1), we view its summary within the RiskIQ Phishing App (Fig-2), which gives us the rendered page showing exactly what a victim would see while the phishing campaign is live, along with other important details that provide clues about the phisher's identity. These clues are crucial to have all in one place when reacting to a phishing event because it saves time and cuts down the period the phishers are active.

Fig-2 RiskIQ Phishing Summary page

Fig-2 RiskIQ Phishing Summary page

Below are just a few of the key attributes associated with this particular phisher along with why they appear in the summary page and what they can tell us (Fig-2):

Continue Reading

The Relationship Between Compromised Ad Servers, Traffic Distribution Systems, and the Angler EK

Today, we are going to look at an intriguing crawl we came across inside of the RiskIQ platform. This example illustrates the relationship between compromised ad servers, traffic distribution systems, and the Angler Exploit Kit (EK).

The initial tip-off was some tell-tale Angler EK activity on photo-supermarket[.]co[.]uk. What's interesting is that we saw two different events fire on this crawl, one for the EK and one for a compromised ad server.


Fig-1 A look inside RiskIQ: Text book Angler EK

As we dig into the alert that fired for the compromised ad server, we can see the malicious iframe injection residing in the grupo-rdr[.]com/owns/superior/min.js file, as illustrated below:


Fig-2 Malicious iframe injection

Continue Reading

Modern Client Cyber Security Issues are Evolving: They’re Becoming Simpler

As we close out Q1 in 2016, what does the client-side threat landscape look like? Where is the industry headed? How are criminals changing? In this post, I want to take some time to reflect and summarize some thoughts that I’ve had over the last few months.

Cyber security has evolved

From RiskIQ’s vantage point, many of the threats and vulnerabilities that plagued us 10 years ago now have clear and straightforward solutions. Cyber security solutions that were once considered bespoke and very sophisticated in 2006 are now commoditized and commercialized. Nearly every day, a new product or technology is introduced that solves complicated problems that once plagued information security departments.

The client attack surface is rapidly being reduced

In fact, systems like DEP and ASLR are so effective that they have rendered entire classes of exploits and vulnerabilities obsolete. Software packages have filled the void to provide things like application sandboxing, application firewalls, and other interesting cyber security technologies. While many of these concepts are not new, the commonality of these inside large corporations is.

Continue Reading

External Threats: It’s Just Business

Cyber Security Researchers get asked questions that result in some interesting conversations. Often, these discussions make note of relationships between digital activity and the physical world. Depending on the situation, the correlations between the two help our clients gain a better understanding of the kinds of external threats they face—as well as the actors behind them.

A couple of examples I use when helping folks tap into the psyche of threat actors are language settings and alignments with actors' schedules. These are old concepts in the cyber security community, but I felt compelled to take a fresh look at the latter. I took a moment to extrapolate what appears to be an illustration of actors' "holiday schedule"—so to speak—from our crawl data.

If you pay attention to this sort of thing in the news, on social media, etc., you'll invariably see spikes and dips in the frequency of coverage of Angler Exploit Kit activity—as well as changes in the style of the attacks. While going back through this quarter’s data, I was reminded that we experienced a period where our crawlers encountered hardly any Angler Exploit Kit landing pages at all. The chart below illustrates the significant drop in unique hits around New Years:

It seems overly simple, but I remind individuals all the time that cybercrime and exploitation are often not personal; they're just business. As such, it's possible that just like those of us with more legitimate occupations, these actors take time off around the holidays and start January feeling fresh and with renewed resolve. The chart suggests that something like this was going on last January; note the sudden decline in detections around New Years and the sudden spike on January 11.

Continue Reading

Multiple Malicious Iframe Injections on Compromised WordPress Sites

At any given time on the web, there are ongoing active attack campaigns against vulnerable web applications. Attackers target these applications to take over a vast, widespread footprint of systems that suits their nefarious needs. Common, widely deployed applications for serving website content, called content management systems (CMS), make especially attractive targets.

Vulnerable CMS applications and third-party plugins can expose an organization’s website to attackers who want to bypass access controls and inject their malicious content into the site. In many cases, the resource that attackers seek with these mass website injections is traffic. Traffic to legitimate websites is an asset attackers can convert into profit, allowing them to commoditize it, i.e. sell or trade the traffic with other criminals, or attack the websites’ users—who may themselves be vulnerable—by loading malware on their systems via browser exploit kits (EK).

Recently, RiskIQ observed an instance that illustrates this attack pattern well. The website attackers compromised was, a small website running a vulnerable CMS version: WordPress 3.8.12 (released in January 2016, and since discovered to be vulnerable to multiple security flaws).

The website is observed to be serving site visitors malicious redirection code, in the form of two distinct injections in the site, and served from different resources on the site. One injection, which is not obfuscated, is served from various pages on the site, including the homepage. We refer to this style of injection as ZTL5iframe. It's illustrated in the screenshot from our application below:

Continue Reading

Yet Another Fake Flash Player

These days there’s plenty of discussion on rogue mobile applications. After all, mobile devices contain valuable personal information and commonly access corporate data. Also, let's not forget the fact that these devices are usually not subject to corporate security controls, which is why it's crucial to have an external threat management program.

At RiskIQ, we see a lot of rogue mobile applications—a lot. We covered a few of the common impersonations in our previous blog, which briefly covered Slempo. Now, we'd like to take a moment to point out yet another fake Flash Player update we recently spotted. The following screenshot was taken from the RiskIQ application, showing details about the package:

This particular application looks legitimate on the surface, but RiskIQ's technology quickly points out the excessive permissions, URLs, and other suspicious indicators, such as the unpronounceable Package Name—and the fact that the file name clearly does not support the narrative.

Looking back in our crawl data, we see that there was a low confidence rating coming from our friends over at VirusTotal:

Continue Reading

Are Cyber Security Vendors Using Scareware Traffic-delivery Tactics?

While surfing the internet with a mobile device, we've observed advertisements by Moiety Media serving legitimate antivirus (AV) software (Qihoo 360 security for mobile) to the public via Scareware techniques. This delivery method is concerning because it's scaring people into downloading legitimate AV software from Google Play directly from affiliate download links—a method of traffic delivery that was abused heavily in the past to deliver fake AV software. Those campaigns were very lucrative, which may be the motivation for this trending type of advertising.

Screen Shot 2016-09-09 at 10.26.21 AM

Fig 1 Scareware text string matches as well as GEO targeting with German string matches

Many advertisers are using this technique, but in this specific example, the advertising company behind these tactics is Moiety Media. Based on our review, Moiety Media appears to be a vendor used to market to specific targeted audiences; in this case, mobile users. Based on their other listed projects (fig1-2), a quick cross reference with Google Play, and the amount of downloads for 360 security, Moiety Media’s advertising has been successful in the mobile realm.

Screen Shot 2016-09-09 at 10.27.29 AM

Fig-2 Showing connection to Qihoo 360 security for mobile and other apps Moiety Media are advertising for

Why is this happening and why has no one addressed these methods?

Continue Reading