Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On May 28th, RiskIQ detected a malvertising (malicious advertising) campaign on several high profile websites (ranked within the top 2,000 websites globally), including the popular humor site eBaum’s World. This particular campaign utilized a drive-by download to exploit several different versions of software, including Flash, Silverlight, and Java. In this particular case, the malicious ads were served by AppNexus, but this campaign has been seen in several other ad networks as well.
In this example, a user browsing a cat playing Jenga on eBaum’s World would have been delivered an advertisement that contained a drive by exploit through the advertisement. This example is illustrated below. The exploit kit that was utilized in the drive-by malware was Angler Exploit Kit, which has been gaining traction since Blackhole Exploit kit has started to lose criminal users. The migration of this user base is related to the arrest of “Paunch” last October. Predictions of hackers moving to different exploit kits have proven to be true, and Angler seems to be filling the void left by Blackhole.
As recently as November of last year, Angler authors integrated Silverlight exploits, which is particularly troubling since Netflix requires the Silverlight plugin to stream video on PC browsers. This provides a large user base to target and while it is not as widely deployed as the Adobe Flash plugin, it is estimated that the majority of internet users have this plugin installed.
Angler gets its name from early advertisements in underground forums posted by the presumed author of the exploit kit. The initial ads for buying traffic displayed an anglerfish graphic, leading to the name. Over the last six months, this exploit kit has been under active development, evolving the URL pattern obfuscation and expanding of the number of exploits that are included in the kit.
Due to the way that RiskIQ browses the Internet as a user would, we easily detected and identified the exploit kits that were served from both advertisements and compromised websites. Over the last week with Angler we have seen roughly ten percent of the sites use advertisements to distribute. Of that ten percent, seventy percent were from AppNexus. This statistic translates to hundreds of instances of Angler in our system, and we continue to see a steady rise in its use.
– James Pleger, Director of Research
Back to RiskIQ Blog
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK