Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
We have previously reported on the impact the current cryptocurrency mania has had on the tactics cyber threat actors are using. These range from phishing to directly probing for Internet-connected digital wallets.
This past weekend has shown the extensive nature of potentially compromised websites where cryptominers such as Coinhive have been embedded directly into a website or injected via a compromised third-party component such as the recent example of Texthelp. According to RiskIQ web crawling data, upwards of 50,000 websites have been observed using Coinhive in the past year, many of them likely without the original owner’s knowledge. Here’s how we are helping our customers address this issue.
Our customers tend to be large corporations and government agencies, so there’s a very low probability for a cryptominer to be present on their websites legitimately. Therefore, step one is to detect any web assets with a cryptocurrency miner running on it, and confirm that asset is a part of the organization’s inventory.
RiskIQ’s webpage-crawling infrastructure monitors assets in our customers’ Digital Footprint on a regular basis. Crawlers download and analyze website content to identify the individual technical components that load when rendered. Currently, we have detection rules for the following miners: Coin Have, CryptoLoot, Coinerra, ProjectPoi, Papoto, MineMyTraffic, CoinImp, Minr, Coinhive, JSE Coin, and CryptoNight Miner.
Using our Global Insights Dashboard in Digital Footprint Inventory, customers have an instant view of the number of websites containing cryptominer technology:
Fig-1 Global Insights Dashboard
Clicking on a specific asset leads to a detail view where customers can see exactly when the cryptominer technology was observed running on the asset.
Fig-2 View of specific asset showing when the cryptomining component was observed
The next step is to inspect the website and identify if the cryptominer was placed directly or was injected via a compromised third-party plugin. The RiskIQ team can help you identify exactly where in your website and through which component the cryptominer was injected.
Fig-3 DOM capture shows where on the web page the script is running
So now you’ve found, investigated, and remediated any compromised sites. Why does this happen, and what do you do next?
Conducting business online means you have a digital presence which introduces risks and challenges many organizations are not ready to tackle. Digital Threat Management from RiskIQ is the solution to that, and having a platform to manage what you own is step one. The recommendations from the cyber security community have been to implement Content Security Policy and Subresource Integrity. It takes effort both at the single asset level for an application developer and also for a cyber security team to monitor a portfolio of assets.
RiskIQ can help cyber security teams by providing a system of record and monitoring on the status of the external digital attack surface. You can view assets in Inventory at an individual level or at an aggregate level to understand exposure and the progress of a cyber security program.
Fig-4 Viewing at an individual level
Fig-5 Viewing at an aggregate level.
RiskIQ Digital Footprint has you covered by continuously discovering an inventory of your externally-facing digital assets and managing risks across your digital attack surface. If you would like more information about RiskIQ Digital Footprint Enterprise can help you with exposure to cryptominers, call us at 888-415-4447 or email us at email@example.com.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Dream situation for adversaries. Holes open daily in the attack surface to support remote work. Time to adapt! Proud to be helping with free access in @PassiveTotal and via the @RiskIQ Illuminate platform. Purpose built for the #CISO and #cybersecurity teams. https://twitter.com/RiskIQ/status/1266444273207083009
Microsoft Remote Desktop is spiking. Why? Because all work is now remote work and all access is now remote access. RiskIQ scans hundreds of ports and maps exposed services to provide security teams with a picture worth a thousand log lines. https://bit.ly/2xJ1Dgx
RiskIQ's #COVID19 Weekly Update:
➡️Car rental company Hertz filed for bankruptcy protection
➡️For the first time, the Boston Marathon has been canceled
➡️Most of the malicious coronavirus emails are coming from US IP space
Read full update here: http://bit.ly/2Uv3CMV
RiskIQ's #COVID19 Internet Intelligence Gateway will enable the cybersecurity community to fight a surge in pandemic-related cybercrime. Sign up, submit any suspicious COVID-19-related URL, and have RiskIQ's powerful global crawling network at your command http://bit.ly/3eon6ek
Via @InfosecurityMag, @DanRaywood highlights RiskIQ's new #COVID19 Internet Intelligence Gateway. This one-stop cybersecurity resource is the latest weapon in the fight against the surge in pandemic-related cybercrime. Read more here https://bit.ly/36ALU02