Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
If you’re in security and haven’t delved much into threats related to cryptocurrency, you may want to reconsider your position. Regardless of how you feel about its practicality or potential bubble status, cryptocurrency is worth understanding because it’s not going away anytime soon. And, a lack of formal regulations or rules in the space has helped foster a ‘wild west’ sort of chaos—both for good and for bad.
In no particular order, here’s a brief set of topics for those looking to expand their cryptocurrency security knowledge.
Most people have heard of Bitcoin, Ethereum, Ripple, and Litecoin, but what about the lesser known altcoins such as ICON, Civic, and Verge? There are hundreds of coins/tokens in the market space right now—even Kodak is throwing its hat in the ring—and acquiring them is not always a straightforward process.
Figure-1 Binance, a popular exchange featuring hundreds of altcoins
To purchase these altcoins, you must first find an exchange that will convert your currency to Bitcoin or Ethereum. From there, you have two options, 1) using an exchange or 2) using a mixer. Depending on the coin you want to purchase, you may need to transfer your coins from one exchange to another using the wallet addresses at each exchange. Exchanging is a reasonably simple process, but what makes it difficult is finding exchanges that are reputable and then managing disparate accounts on each one.
Figure-2 Changelly.com, a popular mixer to change cryptocurrencies
Assuming you already have one coin type but want to exchange it for another, you could use something called a mixer. These websites will allow you to send currency of one kind and transfer it into another type. Similar to exchanges, mixers often require you to register an account, trust the provider with your money (briefly), and use a multitude of providers since no one provider has all the coins listed.
The process above involves a lot of moving parts, and even the most reputable of these exchanges and mixers have widely held concerns associated with their security, and rightly so—there have been several recent high-profile hacks resulting in a loss of millions of dollars worth of holdings.
The lesser-known mixers and exchanges are even riskier, and with new ones popping up every day, there’s an entirely new landscape of dangerous cryptocurrency apps, both legitimate and malicious, that investors must now navigate. Already, RiskIQ has detected and blacklisted dozens of fake cryptocurrency apps in the mobile app ecosystem, many of which are leveraging the name of well-known exchanges and mixers.
When a topic gains global attention, chances are high it will be used in phishing attacks.
What makes the cryptocurrency world a bit different is the lack of follow-up-actions that can take place in the event of a theft. This has resulted in a wide-range of phishing techniques including standard cold-emails, targeted messages to cryptocurrency holders, SMS hijacking to thwart two-factor authentication, typosquatting or brand infringing websites, fake exchanges, fake mixers, social media impersonation, and more. Unlike typical phishing where the user may lose their account, victims of these phishing attacks can lose their entire digital wallet, leaving them empty-handed and without recourse.
In early November, Proofpoint uncovered a sizeable active phishing campaign by the Lazarus Group that sent out messages about fake Bitcoin Gold (BTG) wallet software. The actors abused IDN registration attempting to impersonate the official bitcoingold.org website using sender IDN domains and the decoded notations.
Figure-3 Comparing the real Bitcoin Gold page with the malicious phishing page
Captured by virtual user technology–our web crawling infrastructure—RiskIQ had full copies of the fake webpages and the metadata present on them. RiskIQ stores host pairs for sites that point to each other in a parent or child relationship and called upon this data set for the official BTG website, which showed at least two fake websites in its parent Host Pair set. This information enabled investigators to detect the threat at the source and track how they ran their campaign.
RiskIQ virtual user technology can combat phishing schemes related to cryptocurrency in other ways, too. Whether they’re malicious or benign, fake or legitimate, cryptocurrencies, mixers, and exchanges also leverage well-known brands to boost their visibility—often financial institutions. In conjunction with industry-leading phishing blacklists, RiskIQ External Threats analyzes the internet looking for pages that are similar to their proprietary assets, or pages that collect information leveraging their logo. Leveraging direct integrations with Google Safe Browsing and Microsoft SmartScreen, RiskIQ External Threats can automatically detect and block phishing campaigns, stopping most browsers from accessing the page.
Where there are hundreds of coins also means hundreds of companies, many with technology-based solutions. Many of the altcoins provide their users with digital wallets in the form of mobile apps or native desktop apps. Like any other technology, this software may have vulnerabilities that could be exploited and result in the total loss of assets. And, unlike your traditional bank account, your cryptocurrency isn’t insured.
Figure-4 Security researcher seeing live scans against honeypots revealing a vulnerability
For example, security researchers recently uncovered a vulnerability being exploited in-the-wild by malicious actors. Ethereum users directly connected to the Internet were at risk of funds automatically being stolen from their digital wallets due to an unauthenticated JSON RPC endpoint present within the wallet.
Some holders of cryptocurrency have opted to use hardware solutions to secure their digital wallets. These devices often provide a degree of security, by offering encryption or some additional authentication mechanism that requires the user to interact with the device.
Unfortunately, bad actors have taken notice of these hardware devices and a market of uneducated purchases to sell second-hand devices. These second-hand devices could be implanted with a backdoor or seeded with information the attacker could use to access the contents of the device later.
With cryptocurrency valuation reaching new highs seemingly every week, everyone is trying to cash in. That’s why revenue-generating cryptocurrency miners are everywhere and anywhere. However, these miners require tons of computing power, often sourced from unwitting users.
Figure-5 Components shown for a web property in RiskIQ PassiveTotal detailing the use of Coinhive within the web page.
Some brands capitalize by running cryptocurrency mining scripts in the background of their sites to leverage the computers of their visitors legally. Meanwhile, threat actors hack vulnerable sites or spin up fake, illegitimate websites to siphon money off of major brands, often with typosquatting domains and fraudulent branding. By leveraging domains or subdomains that appear to belong to major brands, these actors trick people into visiting their sites running cryptocurrency mining scripts to monetize their content. When we looked at domains running the cryptocurrency mining script Coinhive, we found many examples of typosquatting and domain infringement.
Unfortunately, security teams lack visibility into all of the ways that they can be attacked externally, and struggle to understand what belongs to their organization, how it’s connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise. In the case of scripts like Coinhive, it means being able to inventory all the third party code running on your web assets, and being able to detect instances of threat actors leveraging your brand on their illegitimate sites around the internet. Fortunately, RiskIQ Digital Footprint has you covered by continuously discovering an inventory of your externally-facing digital assets and managing risks across your attack surface.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting