Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
October 2, 2018, Team RiskIQ
Like many of the conflicts that we see in the world today, the number of cyber threats has grown exponentially in size and scope, from within the confines of the firewall to traversing the whole internet.
Despite this sprawl, CISOs still spend significant money securing their perimeter, employing an average of 35 tools to do so. But this is mostly a reactive approach, and it no longer works. The problem is, in this new age of cyber attacks targeting organizations on the open internet, you can no longer wait for the threats to come to you.
Today, spotting cyber threats lurking around the internet requires high-level visibility.
Organizations finding success in cyber security are those investing in surveillance and reconnaissance tools that can show their digital attack surface appears to attackers, a collection of widely dispersed digital assets that can be exploited in a variety of ways.
Millions of these digital assets appear on the internet every day, most of which are entirely outside the scope of an organization’s security visibility. These can include legitimate items, but also threats like unknown websites, mobile apps that have been compromised to distribute malware, domain and brand infringement, unknown and unmonitored web components and dependencies, and imposter social media accounts.
Consider the recent breaches of Ticketmaster, British Airways, and Newegg by the credit card-skimming group Magecart.
In the case of the Ticketmaster breach, RiskIQ discovered it wasn’t an isolated incident but a worldwide campaign that affected tens of thousands of e-commerce sites executed by hacking widely used third-party analytics trackers. The affected brands had no visibility into the code running on their website, so they were unaware and powerless to protect their customers, many of which had their data stolen directly from the site as they input their payment information.
British Airways and Newegg were similarly vulnerable to web-based attacks. They were victimized by targeted attacks using unique skimmers that integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible. These attacks showed that they are not limited to specific geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways attacks were all present in the attack on Newegg:
However, when brands understand what they look like from the outside in, they can begin developing a digital threat management program that allows them to discover everything associated with their organization on the internet, including third-party code on their site.
The tools providing insight and visibility into these assets leverage internet data to discover everything associated with an organization on the internet, both legitimate and malicious, and monitor them for compromise to help bring the massive scope of an attack surface into focus. With a wide-spanning, overhead view, organizations can take a proactive approach to defend their organizations and, if necessary, go on the offense against a threat rather than waiting to be breached.
RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.
RiskIQ is uniquely suited to help brands detect web-based attacks like magecart, but there are are a variety of other reasons having global visibility can protect your brand, customers, and employees:
…and it’s growing every day. We deployed our web-crawling infrastructure—which each day executes and analyzes more than 2 billion HTTP requests, takes in terabytes of passive DNS data, collects millions of SSL Certificates, and monitors millions of mobile apps—to map the scope of this attack surface over a two-week period.
RiskIQ observed 3,495,267 new domains (249,662 per day) and 77,252,098 new hosts (5,518,007 per day) across the internet over that two-week period, each representing a possible target for threat actors.
Modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers, etc., all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions. As in the PC environment, this commonality of approach is attractive to malicious actors as a successful exploit written for a vulnerability or exposure on one site can be reused across a large number of sites.
As an example, Content Management Systems (CMS) are popular amongst web developers for creating dynamic sites that are easy to maintain and update. Their ubiquity makes them a popular target for hackers as we’ve seen many times in the past. Over a two-week period our research found:
Common Vulnerabilities and Exposures (CVEs) are classified by severity on a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), where 7 to 8.9 represent high vulnerabilities, and 9 to 10 represent critical vulnerabilities.
Focusing on these high and critical vulnerabilities, our research showed:
While some of these instances will have patches or other mitigating controls to prevent the identified vulnerabilities and exposures from being exploited, many will not.
Most organizations lack a complete view of their internet assets. In our dealings with new customers, we typically find 30 percent more assets than they thought they had. There are two significant contributors to this lack of visibility: shadow IT and mergers and acquisitions (M&A).
Where IT can’t keep pace with business requirements, the business looks elsewhere for support in the development and deployment of new web assets. The security team is frequently in the dark with regards to these shadow-IT activities and, as a result, cannot bring the created assets within the scope of their security program.
Unmanaged and over time, orphaned assets form the Achilles heel of an organization’s attack surface. They are not regularly patched or security tested, and the operating systems, frameworks, and third-party applications of which they are comprised can quickly age and become vulnerable to common hacking tools.
When you merge with another company, their vulnerabilities become your vulnerabilities. Mergers and acquisitions often bring with them incomplete and inaccurate lists of public-facing digital assets that further exacerbate the problem.
Digital assets can be broken down into many different types, each with associated risks that must be understood and managed. Some of the key asset types are hosts, domains, websites, certificates, third-party applications, and third-party components.
To highlight the scope of the challenge large organizations face in defending their digital assets, we conducted research on the FT30 basket of companies. Summarizing the results, on average each organization has:
Some of these should be exposed on the internet but in our experience, many should not.
These assets comprise a large and complex attack surface that needs to be understood and actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.
Hackers don’t have to compromise your assets to attack your organization or your customers.
Social engineering through impersonation remains a top tactic for threat actors. Impersonating domains, subdomains, landing pages, websites, mobile apps, and social media profiles are all used, many times in combination, to trick consumers and employees into giving up credentials and other personal information or installing malware.
In Q1 2018, RiskIQ identified 26,671 phishing domains impersonating 299 unique brands, 40 percent of which were financial services brands.
Phishing tactics have become increasingly sophisticated, often leveraging multiple digital elements. as we can see in our recent coverage of a MyEtherWallet phish: https://www.riskiq.com/blog/labs/ myetherwallet-android/
Apart from their own assets, organizations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns.
You have much more to worry about than just the Apple and Google Play mobile app stores.
The general perception is that there are a small number of mobile app stores but the reality is somewhat different. There are a large number of secondary and affiliate stores primarily serving the Android market which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps, all the while hiding in the vastness of the app store ecosystem. Our Q1 2018 mobile app research revealed:
Organizations must do more to monitor the app store ecosystem and find the stores hosting their apps without permission and fraudulent apps impersonating their brand(s), in both app stores and across the web.
While spyware, ransomware, and other forms of malware still proliferate, cybercriminals are augmenting their activities by stealing computer resources. With the exponential growth in the value of cryptocurrencies, crypto mining is now a lucrative pursuit.
The primary challenge facing cryptocurrency prospectors is that mining requires an extreme level of computing power, which can be prohibitively expensive. Fundstrat reported that the cost of mining a single Bitcoin reached about $8,038, and the cost of mining other coins are not far behind. To get around it, actors are siphoning computing resources from unwitting users across the internet; hosting crypto-mining scripts on the websites of highly visited sites, which then execute in the web browsers of visitors to those sites. From our research we found:
Across the websites belonging to the FT30, we found 11 instances of cryptocurrency miners. Some of the crypto mining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them.
There’s good news for organizations, however, as there is now much more data available which can allow them to identify changes in attackers’ approaches and protect themselves before they become a target.
Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected.
However, there are disconnects between that kind of strategy and the attack surface as presented in this article. In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets—and the majority of the malicious actors. As such, companies need to adopt security strategies that encompass this change.
Do you lack visibility into your organization’s internet-exposed attack surface? Contact us today for a personalized demo and find out what your company looks like to hackers as well as how your team can address threats like Magecart.