Executive Guardian
Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Like many of the conflicts that we see in the world today, the number of cyber threats has grown exponentially in size and scope, from within the confines of the firewall to traversing the whole internet.
Despite this sprawl, CISOs still spend significant money securing their perimeter, employing an average of 35 tools to do so. But this is mostly a reactive approach, and it no longer works. The problem is, in this new age of cyber attacks targeting organizations on the open internet, you can no longer wait for the threats to come to you.
Today, spotting cyber threats lurking around the internet requires high-level visibility.
Organizations finding success in cyber security are those investing in surveillance and reconnaissance tools that can show their digital attack surface appears to attackers, a collection of widely dispersed digital assets that can be exploited in a variety of ways.
Millions of these digital assets appear on the internet every day, most of which are entirely outside the scope of an organization’s security visibility. These can include legitimate items, but also threats like unknown websites, mobile apps that have been compromised to distribute malware, domain and brand infringement, unknown and unmonitored web components and dependencies, and imposter social media accounts.
Consider the recent breaches of Ticketmaster, British Airways, and Newegg by the credit card-skimming group Magecart.
In the case of the Ticketmaster breach, RiskIQ discovered it wasn’t an isolated incident but a worldwide campaign that affected tens of thousands of e-commerce sites executed by hacking widely used third-party analytics trackers. The affected brands had no visibility into the code running on their website, so they were unaware and powerless to protect their customers, many of which had their data stolen directly from the site as they input their payment information.
British Airways and Newegg were similarly vulnerable to web-based attacks. They were victimized by targeted attacks using unique skimmers that integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible. These attacks showed that they are not limited to specific geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways attacks were all present in the attack on Newegg:
However, when brands understand what they look like from the outside in, they can begin developing a digital threat management program that allows them to discover everything associated with their organization on the internet, including third-party code on their site.
The tools providing insight and visibility into these assets leverage internet data to discover everything associated with an organization on the internet, both legitimate and malicious, and monitor them for compromise to help bring the massive scope of a digital attack surface into focus. With a wide-spanning, overhead view, organizations can take a proactive approach to defend their organizations and, if necessary, go on the offense against a threat rather than waiting to be breached.
RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.
When crawling a page, RiskIQ maps its structure and breaks it down to its smallest elements. This data is captured and stored in our massive databases to provide a point-in-time snapshot of how a page appears and functions, including its javascript. With this reference, we can observe changes, such as the addition of a Magecart skimmer, as they happen. It’s this proprietary historical data that allowed us to amend the official timeline of the Ticketmaster attack and prove that the Magecart skimmer was live on Newegg’s website for over a month.
Our researchers direct RiskIQ’s crawlers with custom detection policies they write while hunting for Magecart and taking note of their skimmers’ unique Javascript signatures. From the petabytes of data these crawls collect, RiskIQ builds out static indexes including passive DNS, SSL certificates, host pairs (redirects), and web components. Pivoting on these data sets allows us to uncover Magecart’s tactics and identify victims. For example, our Components data set shows us all the sites running a third-party analytics script compromised by Magecart, and our Host Pairs dataset shows relationships between websites running the Magecart skimmer.
RiskIQ is uniquely suited to help brands detect web-based attacks like magecart, but there are are a variety of other reasons having global visibility can protect your brand, customers, and employees:
…and it’s growing every day. We deployed our web-crawling infrastructure—which each day executes and analyzes more than 2 billion HTTP requests, takes in terabytes of passive DNS data, collects millions of SSL Certificates, and monitors millions of mobile apps—to map the scope of this digital attack surface over a two-week period.
RiskIQ observed 3,495,267 new domains (249,662 per day) and 77,252,098 new hosts (5,518,007 per day) across the internet over that two-week period, each representing a possible target for threat actors.
Modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers, etc., all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions. As in the PC environment, this commonality of approach is attractive to malicious actors as a successful exploit written for a vulnerability or exposure on one site can be reused across a large number of sites.
As an example, Content Management Systems (CMS) are popular amongst web developers for creating dynamic sites that are easy to maintain and update. Their ubiquity makes them a popular target for hackers as we’ve seen many times in the past. Over a two-week period our research found:
Common Vulnerabilities and Exposures (CVEs) are classified by severity on a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), where 7 to 8.9 represent high vulnerabilities, and 9 to 10 represent critical vulnerabilities.
Focusing on these high and critical vulnerabilities, our research showed:
While some of these instances will have patches or other mitigating controls to prevent the identified vulnerabilities and exposures from being exploited, many will not.
Most organizations lack a complete view of their internet assets. In our dealings with new customers, we typically find 30 percent more assets than they thought they had. There are two significant contributors to this lack of visibility: shadow IT and mergers and acquisitions (M&A).
Where IT can’t keep pace with business requirements, the business looks elsewhere for support in the development and deployment of new web assets. The security team is frequently in the dark with regards to these shadow-IT activities and, as a result, cannot bring the created assets within the scope of their security program.
Unmanaged and over time, orphaned assets form the Achilles heel of an organization’s digital attack surface. They are not regularly patched or security tested, and the operating systems, frameworks, and third-party applications of which they are comprised can quickly age and become vulnerable to common hacking tools.
When you merge with another company, their vulnerabilities become your vulnerabilities. Mergers and acquisitions often bring with them incomplete and inaccurate lists of public-facing digital assets that further exacerbate the problem.
Digital assets can be broken down into many different types, each with associated risks that must be understood and managed. Some of the key asset types are hosts, domains, websites, certificates, third-party applications, and third-party components.
To highlight the scope of the challenge large organizations face in defending their digital assets, we conducted research on the FT30 basket of companies. Summarizing the results, on average each organization has:
Some of these should be exposed on the internet but in our experience, many should not.
These assets comprise a large and complex digital attack surface that needs to be understood and actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.
Hackers don’t have to compromise your assets to attack your organization or your customers.
Social engineering through impersonation remains a top tactic for threat actors. Impersonating domains, subdomains, landing pages, websites, mobile apps, and social media profiles are all used, many times in combination, to trick consumers and employees into giving up credentials and other personal information or installing malware.
In Q1 2018, RiskIQ identified 26,671 phishing domains impersonating 299 unique brands, 40 percent of which were financial services brands.
Phishing tactics have become increasingly sophisticated, often leveraging multiple digital elements. as we can see in our recent coverage of a MyEtherWallet phish: https://www.riskiq.com/blog/labs/ myetherwallet-android/
Apart from their own assets, organizations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns.
You have much more to worry about than just the Apple and Google Play mobile app stores.
The general perception is that there are a small number of mobile app stores but the reality is somewhat different. There are a large number of secondary and affiliate stores primarily serving the Android market which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps, all the while hiding in the vastness of the app store ecosystem. Our Q1 2018 mobile app research revealed:
Organizations must do more to monitor the app store ecosystem and find the stores hosting their apps without permission and fraudulent apps impersonating their brand(s), in both app stores and across the web.
While spyware, ransomware, and other forms of malware still proliferate, cybercriminals are augmenting their activities by stealing computer resources. With the exponential growth in the value of cryptocurrencies, crypto mining is now a lucrative pursuit.
The primary challenge facing cryptocurrency prospectors is that mining requires an extreme level of computing power, which can be prohibitively expensive. Fundstrat reported that the cost of mining a single Bitcoin reached about $8,038, and the cost of mining other coins are not far behind. To get around it, actors are siphoning computing resources from unwitting users across the internet; hosting crypto-mining scripts on the websites of highly visited sites, which then execute in the web browsers of visitors to those sites. From our research we found:
Across the websites belonging to the FT30, we found 11 instances of cryptocurrency miners. Some of the crypto mining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them.
There’s good news for organizations, however, as there is now much more data available which can allow them to identify changes in attackers’ approaches and protect themselves before they become a target.
Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected.
However, there are disconnects between that kind of strategy and the digital attack surface as presented in this article. In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets—and the majority of the malicious actors. As such, companies need to adopt security strategies that encompass this change.
Do you lack visibility into your organization’s internet-exposed attack surface? Contact us today for a personalized demo and find out what your company looks like to hackers as well as how your team can address threats like Magecart.
RiskIQFollow
The latest episode of SwigCast is out! We tackle card skimmers and the evolution of Magecart with @RiskIQ technical director Terry Bishop https://t.co/l2FyILwTHq
We're here at Pittsburgh Information Security Awareness Day, chatting with western Pennsylvania #infosec pros about Attack Surface Management! Read all about this great event here: https://t.co/YusL3t5fGQ
Our #CTO Adam Hunt discusses the trend of businesses expanding their online presence quicker than their infrastructure can be secured in the most recent issue of @TodaysBoardroom (p.28) https://t.co/SY7pgpUu1o
Dan Schoenbaum, President of @RiskIQ strongly believes in taking the responsibility seriously for protecting the customers from cyber-attacks. Read more https://t.co/mKKg0cbHEi #cyber #CybersecurityNews #cybersecurity #cybersecurite #digitalart #Digital
@RiskIQ World Leader in attack surface management, was secured a place in the list of "30 Great Places to Work 2019" by #CIO_Bulletin https://t.co/voJ0bkKNIv