Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Today’s cybersecurity challenges are unlike anything we’ve seen before. Your organization’s IT infrastructures now consist of the traditional network—employee laptops, desktops, various operating software, storage platforms and servers, cloud storage—plus an entirely new attack surface made up of a myriad of assets that exist outside the firewall.
As your enterprise adapts to an ever-changing IT complexity, we at RiskIQ have identified five common enterprise cybersecurity gaps facing most enterprises today:
Enterprises must be able to quickly see what’s happening on the open internet and client-facing assets, but this isn’t always easy to do (and they don’t always know where to look). How can you possibly keep up with all of the threats you’re facing and make sure to fill in the essential gaps? In this article, we’ll look at the top-five most prevalent issues your organization is facing today.
Third-party components can quickly become vulnerable without your organization’s knowledge for one simple reason: you’re not part of their upkeep.
For example, let’s say your e-commerce site is using a shopping platform such as Magento, which has been exploited by a Magecart hack. Magento is responsible for its own cybersecurity, but if even if one attempt gets through and the code becomes vulnerable or hacked, you as an organization have no control over that access point—your site may also be compromised. There is virtually nothing you can do to guarantee that a partner’s system is up to date and secure at all times.
This is where RiskIQ comes in.
We can alert you when something (such as a plugin) is compromised so that you can address the vulnerability immediately. No available cybersecurity application can entirely eliminate this risk—nothing your firewall, antivirus or vulnerabilities scanners can mitigate preemptively. However, you can monitor dependencies to take action as soon as one of them becomes a danger to your organization.
At RiskIQ, we’re able to inventory and monitor all resources and sub-resources of your web pages.
We create this inventory by crawling the internet and storing the elements of each page, including its document object model (DOM). We then back up this historical data over time for reference. When something changes, we—and you—are instantly alerted to it.
The mobile ecosystem is another threat landscape that provides attackers direct access to brands, employees, and consumers. There are thousands of new apps going up every day spread across the entirety of the web, including hundreds of legitimate and illegitimate app stores, so it’s understandably hard for organizations to map and monitor their mobile presence.
While official mobile apps can be hacked or duplicated by attackers, even brands that don’t have an official app can be targeted as well.
The example we’ll use to illustrate this comes from years ago in a client meeting. They sat down with us at RiskIQ and told us they didn’t have any mobile apps, and therefore didn’t need to worry about the cybersecurity of their mobile presence. We explained to the client that, in reality, they did—we had found hundreds of unsanctioned apps leveraging their brand. They were shocked because they had no visibility into that aspect of their attack surface.
Many of these apps get users to think that the app is legitimate, when in fact it doesn’t do anything it purports to do and can even contain malware or adware. When a user believes that the app is associated with a particular brand, the threat actors who were building those apps are benefiting, and the unhappy user associates their bad experience with the unlucky brand with which they thought they were interacting.
We monitor Google Play, Apple App Store, and more than 150 other app stores around the world to uncover rogue mobile apps and intelligently sort legitimate apps from modified versions, unauthorized fakes, and look-a-likes. We go beyond just the title and description, automatically analyzing all app content and code to discover logos, brand references, and malicious code hidden within app files and track app versions and correlate apps across stores for efficient management and enforcement of related incidents.
At RiskIQ, we have found that visibility into domain and subdomain infringement is a common gap and vital area to enterprise cybersecurity. Threat actors create domains that share a nearly identical appearance to the official, legitimate one to use in their phishing campaigns.
For example, threat actors have registered a domain that is nearly identical in appearance to a bank. If someone accidentally typed in a domain typo, they would land on the phishing page made to look exactly like the legitimate one. Because of the similarity in appearance, they wouldn’t know they had inadvertently arrived at the wrong destination.
From there, the person would enter their banking credentials to log in. The threat actors behind the site would then have the client’s credentials on hand to do with as they please.
As previously mentioned, at RiskIQ, we continuously scan the Internet for fraudulent activity targeting your organization. We automatically monitor all suspicious domains and subdomains related to your brands for changes in content or behavior presented to site visitors every 48 hours, or instantly whenever a Whois or DNS change occurs on the domain between scheduled checks. These observed changes prompt users to re-review previously seen threats against which no action was previously taken, but may now warrant a different response based on changed risk level.
In terms of investigating gaps for your enterprise cybersecurity plan as they relate to server frameworks, at RiskIQ we focus on both out-of-date frameworks and the typical tendency of an organization to disregard necessary and consistent software updates.
Despite your best efforts, however, even the most up-to-date framework can become vulnerable. It’s then up to your organization to update the affected framework and patch up the vulnerability as quickly as possible.
This is a good question and one that we’re occasionally asked. The quick answer is very. Here are a few well-known names that demonstrate the risk: Heartbleed, Wannacry, Petya, and Not Petya—just to name a few. Every one of these high profile attacks resulted in hundreds of millions in losses and were caused by unpatched servers.
Organizations should be concerned with compliance fines, financial liability, and material loss of customer confidence through theft of data or fraud, as well as the cost of the access to and resumption of their data and systems as well, which can be held hostage by automated ransomware attacks at internet scale.
The issue, of course, is visibility. It is tough for a large organization to be 100% aware of every version on every server, and unfortunately, server misconfiguration is all too common.
There are quick options to help with this task, but many of them fall short. The challenge is being able to find the needle in the haystack and proactively identify which framework poses the most severe risk. It’s a dangerous numbers game to try and determine which thousand of these patches are a priority and will dramatically reduce the risk to your organization.
RiskIQ provides actionable visibility. We show you what you have, where, and detail the risks so that you can pass it off to your testing team and make necessary updates. Once you have an accurate and current picture of your digital footprint—including the components running on your assets—frameworks and web applications running on your external assets—it is far easier to understand and execute problem-resolution techniques to ensure that your external assets remain secure. This inventory of your assets is also critical for compliance with numerous industry and government regulations.
Anything that is outside the awareness of your cybersecurity team is referred to as “Shadow IT.” It’s an information-technology system or solution built and utilized by some part of an organization without specific cybersecurity or IT approval. There is no real way that you can monitor it or know about it. Marketing is a typical, well-meaning culprit in the creation of these assets, simply because new campaigns and content are continually being created and then left on the same server, often entirely forgotten about.
For example, your HR team puts together a recruiting website for a specific job event or hiring initiative using a rough and ready CMS, so they don’t have to “bother” IT or Programming. Several months post-event they might forget about the digital assets they created, but it is still running on the company server. Over time that CMS becomes out of date and vulnerable becoming an easy target for hackers.
Our extensive digital footprint provides global visibility. Meaning, we can discover precisely what belongs to your organization and layering on 10+ years worth of historical internet data, RiskIQ customers have visibility into attacks ranging from the deep and dark web to the surface web and the analytics necessary to receive the most relevant, real-time alerts that inform and enable quick and decisive action.
These common gaps are simply ones your enterprise cybersecurity plan can’t afford to ignore. We hope this article gave you useful insight into what is happening behind the scenes of your organization’s cybersecurity.
What are you doing to combat threats faced by your organization? RiskIQ is a world leader in digital threat management. Contact us today to learn more about how we can fill in your enterprise cybersecurity gaps and protect your assets.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting