Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
The internet is still a lot like the wild west—outlaws and bandits running amok with little standing in their way of a lucrative plunder. And, unfortunately, in my analogy, security researchers like me are often the overwhelmed Sheriff just trying to keep the peace.
Bad guys intrinsically have the advantage in today’s threat landscape—they’re the ones on the offensive and have an arsenal of different techniques to cover up their identities and locations at their disposal. Meanwhile, the good guys, vastly outnumbered, are stuck trying to figure out every possible move (of a nearly infinite variety) they may try next.
So here’s the forehead-slapping question: Why do we keep giving the bad guys free or incredibly cheap resources to abuse? Today, people can register domains for nothing to practically nothing—and unsurprisingly, rampant free domain abuse is the result.
How RiskIQ detects it
Observe this RiskIQ web crawl featuring an EITest Malicious Flash Redirector Injection:
Fig-1 An EITest Malicious Flash Redirector inside the RiskIQ app
Inside, we see a compromised website, Venice.com.br, and an injected top-level domain (TLD) FUMC.ML. The TLD is from Freenom, the world’s first provider (Registrar) to give free domain names away. Freenom may fancy itself the Robin Hood of domains, helping the less fortunate get a custom domain or email address, but in reality, it’s the more unsavory set benefiting from its efforts.
To continue my analogy, imagine a completely unprotected train full of gold bars chugging toward our outlaw-infested town. That’s what free domain providers like Freenom are to threat actors on the internet. The price chart below shows how anyone can register a variety of top-level domain names for free as long as they have a valid email address:
Fig-2 Freenom pricing list
Looking at the RiskIQ data above, we can see free domain abuse has been rising since around the end of life of Angler, which happened on June 7th. We’re now seeing this activity ultimately lead to Neutrino EK.
Fig-3 Domain abuse is on the rise
RiskIQ is uniquely equipped to shift the balance of power to the good guys by uncovering the infrastructure of these domain abusers. Inside PassiveTotal, we queried the example domain’s IP address, 188.8.131.52, to see anything else related to the IP:
Fig-4 Some of the 830 domains linking to the sample IP
There you have it; 839 unique domains to be exact linking to the IP, each registered through Freenom and blacklisted by RiskIQ.
Horrifyingly, this is just one IP from one example of free domain abuse. There’s a vast array of nefarious possibilities when it comes to using these. Handing out additional resources to threat actors to make a living abusing the system is not my idea of a fair deal.
As seen above, security professionals can use PassiveTotal analyze these domain abusers’ infrastructure to better understand their intentions and capabilities. This richer intelligence during incident investigations will help you overcome challenges in discovering and proactively block threats related to nefarious domains.
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting