External Threat Management Labs

RiskIQ Surfaces Domain Impersonation Targeting Saudi Government Ministries

Recently, RiskIQ's suspicious domain classifier surfaced several Google analytics typosquatting domains. One, in particular, led RiskIQ's research team to a phishing campaign impersonating Saudi Arabian government websites.

Based on infrastructure overlap in RiskIQ's Internet Intelligence Graph, our researchers determined that the campaign is connected to a previous research report from March of 2019, which outlined a phishing campaign against the Saudi Arabian government it dubbed Bad Tidings. According to the research—and corroborated by RiskIQ's data—the Bad Tidings campaign dates as far back as 2017.

Analysis of the new infrastructure found by RiskIQ appears to be a follow-on to the Bad Tidings campaign and has been ongoing since the middle of 2019. Based on our analysis of the domain infrastructure used in this new crop of attacks, the attackers appear to be impersonating several organizations, including the Saudi ministries of the interior, foreign affairs, and labor and social development. They are also impersonating the Enjazit e-visa platform and the Absher mobile app, which allows Saudi citizens to access government services. 

Host Pairs Match Domains with Their Relatives

RiskIQ's investigation started with the typosquatting domain, googleanalytics[.]world, which was first surfaced by RiskIQ systems. Our Internet Intelligence graph connected this domain to an IP Address hosting multiple domains and hosts impersonating the Ministry of the Interior (MOI) and the Ministry of Foreign Affairs web portals and e-visa services.

Pulling this thread further, RiskIQ researchers tapped our unique Host Pairs data set for the official Ministry of the Interior website, which shows multiple relationships to suspicious infrastructure from March through July of 2019. What makes Host Pairs powerful is its ability to help analysts understand relationships between two domains (a parent and a child) that share(or previously shared) a connection observed from a RiskIQ crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex, like an iframe or script source reference.

In this case, Host Pairs shows that this initial IP hosting googleanalytics[.]world also had a parent/child relationship for one day, July 1, 2019, with the legitimate Ministry of the Interior website.

Cookies Find Similarities Baked into Infrastructure

RiskIQ researchers also used RiskIQ's indexed cookie name data to identify additional sites associated with this phishing campaign, many of which purported to be for visa services. When RiskIQ crawls a web page, cookies are automatically saved from the crawl session. This data set includes the cookie name, value, and several other metadata properties. 

RiskIQ Threat Intelligence Portal users have seen countless examples of RiskIQ cookie data expanding infrastructure associated with threat campaigns and APTs to surface new IOCs, including our analysis of the Donot Android espionage group and the Roaming Tiger APT

Web Crawling Illuminates Threat Campaigns 

For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and composition by fingerprinting each component, connection, service, IP-connected device, and infrastructure to show customers how they—and attackers targeting them—fit within it.

These systems also capture the Document Object Model (DOM) for each page. Analyzing crawl data for the original typosquatting domain, researchers compared the md5 hash for a javascript file found in the domain's DOM against RiskIQ's resource index. IT SurfaceD additional URLs in which that same JavaScript file has appeared. 

Analysis of the client.min.js file shows that this code profiles and fingerprint victims browsing the sites, capturing information from visitors to the site, including IP address, city, region, country, geolocation, ASN, browser user agent string, and operating system. The code also assigns the victim a unique identifier to note when someone has already visited the site.

Tapping the Intelligence Graph

The modern web is an elaborate graph of dependent requests made up of images, code libraries, page content, and other references. Every day, RiskIQ's crawling technology makes nearly two billion HTTP requests online and databases the contents. 

Having access to the infrastructure that comprises the web helps analysts note similarities between threat campaigns are observable behavior by threat actors to track them. Starting with the unique data sets in RiskIQ PassiveTotal built upon RiskIQ's Internet Intelligence Graph, analysts can quickly enumerate infrastructure related to seemingly disparate campaigns to paint a vivid picture of the threat landscape targeting their organization. 

To read the full report and explore the comprehensive list of IOCs, visit the Threat Intelligence Portal in RiskIQ PassiveTotal. Sign up with a corporate email address for a free month of enterprise access.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor