Hackers are Bridging the Gap Between Web and Mobile

External Threat Management

Hackers are Bridging the Gap Between Web and Mobile

December 04, 2014

By Peter Zavlaris

Cyber criminals have been developing new techniques designed to target smartphones and tablets. These attackers can earn hefty paydays for freshly harvested, mobile-based data as many users store valuable information in mobile apps or on their mobile devices.

"[mobile] is the jackpot when it comes to valuable data, so obviously bad guys are doing a lot of work to get at it," says Jeremy Linden, Security Product Manager at security firm Lookout, in a recent Security Week article.

The author of the article also discusses findings by Lookout, which has been tracking the mobile-based malware known as NotCompatible. NotCompatible is designed to enslave host mobile devices in order to generate an army of zombie machines, commonly referred to as a botnet.

The article states that the most common way for NotCompatible to get onto a smartphone is when the victim visits a legitimate mobile website that's been hacked. In essentially the same way web-based malware is spread, this malware secretly infects unsuspecting victims who were just visiting the wrong site at the wrong time.

From a security perspective, mobile websites are essentially regular websites but reformatted in order to be delivered on mobile devices instead of desktops and laptops. Mobile web browsers still rely on markup languages like HTML for serving up pages.

In typical website-based attacks, the goal is to manipulate the process by which the browser renders the DOM (webpage) by injecting malicious scripts into the process. Malware can be served up directly via malicious files, applets, .exes or via injected scripts causing website redirects to malicious URLs hosting drive-by downloadable malware.

Redirects to drive-by downloads were used to spread Svpeng malware, arguably the most dangerous mobile banking Trojan to date.

In the case of NotCompatible, the initial infection started on legitimate websites, which led to infrastructure hosting drive-by download malware designed to look like regular software updates that prompted victims to perform an install. Only instead of updating software, they were actually installing malware.

Brand-name websites can provide the best regular and mobile-based malware distribution targets because of their high traffic volumes due to their notoriety. Major brands also typically own many online assets that generate a higher percentage of potentially vulnerable websites and mobile applications to target.

It is getting harder and harder for enterprises to track and manage all their web assets, leading to repeated compromises that can often be of sites they aren't even aware of. Websites are also at risk from the third-party code libraries being pulled in to prop up most large websites. This creates additional attack vectors, as was the case with the recent Syrian Electronic Army attack using Gigya to hack major brand name websites like CNBC.com, The Independent and NHL.com. The good news is that the entire campaign is at risk during the mass distribution phase. It's only after it's reached its target, in this case the end users, that most modern malware becomes difficult to detect (until its too late).

RiskIQ for Web is designed to detect embedded malware while it's attempting to infect site visitors. The RiskIQ technology platform does this by sending out a massive army of automated, virtual users around the globe that are configured to look and act like real human on devices. Each virtual user can emulate a computer or smartphone. Their purpose is to experience our customer's websites as a real user would. If they become infected during a scan, they can pinpoint the source of the infection by capturing the DOM and rebuilding the causality chain. Simultaneously, our system will either alert our customers' security teams or take a predetermined action in order to eliminate the threat.

The most successful attackers will target websites, which, for various reasons, may be hidden from the brand they belong to. RiskIQ real-time asset discovery within the RiskIQ for Web bundle allows us to uncover troves of previously unknown websites that could be utilized to levy attacks. Typically, they're somehow tied to the brand's domain, ASN or bare markings like logos and trademarks associated with the brand.

RiskIQ customers can quickly and easily lower the risk of malware campaigns leveraging their assets. In the process they can stem the spread of harmful malware by protecting those that leverage their web assets the most: customers and employees.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

Forrester Wave: External Threat Intelligence Services, Q1 2021

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event