Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
A large-scale takeover of major brand-name websites, including NBC.com, The Independent and NHL.com was recently exposed. The cyber threat actor responsible was the infamous Syrian Electronic Army (SEA). The SEA did not hack NBC nor any other of the affected organizations directly; instead, they were able to hack into the DNS registry of a shared vendor. The vendor, a company called Gigya, specializes in identity management and offers a third-party code library that website developers can install on their sites. The result was traffic redirection to a .js file that notified the site visitor that the SEA was now in control of the site.
Gigya’s service is a customer identity management platform. This allows site visitors to access sections of websites that are typically password protected without having to re-login each time.
Instead of attacking Gigya’s code library, the SEA was able to hack Gigya’s DNS entry at GoDaddy. From there, they redirected Gigya’s content delivery network (CDN) to infrastructure controlled by the SEA. This infrastructure was hosting a .js file with a message notifying the website had been hacked.
The exact motive and end game of this attack are still being debated. However, the result is a black eye on the websites affected and yet another example of breakdown in the virtual supply chain many large websites have come to rely on.
Gigya’s weaknesses became the weakness of its customers, which happened to be many of the world’s largest and most influential websites. By taking over the DNS entry of Gigya (third-party vendor), cyber thieves took control of visitors’ browsing sessions. Every time Gigya’s CDN URL was called to a webpage, the end users were instead re-routed to SEA controlled infrastructure.
Internet security is never a certainty nor ironclad; it is an ongoing process with many cyber threat actors heavily investing in exploiting every facet of it. There was nothing unique to Gigya other than its customer base. All any cyber thief would need to perform the same type of hack is login credentials.
Many other third-party controlled code libraries exist; some belong to startups, some are open-source based, and some are small parts of major enterprise organizations. Most of their services are hosted and served up off premise in a cloud-based, SaaS platform. The web developers who use these services have no insight into the security practices of each of these organizations. They pull down third-party code into their visitors’ web sessions at their own peril.
The reality is security experts have very little visibility into what’s truly happening session by session to site visitors. There just aren’t many tools for this. And there are treasure troves of valuable data to pilfer off of individual computers, smartphones and tablets. Therefore, innovations are being made, just on the wrong side!
In the SEA attack, the .js file could’ve just as easily been a piece of malware that could’ve been spread to thousands or even millions of visitors before being detected.
RiskIQ’s suite of enterprise services is designed to solve this cyber threat. RiskIQ for Web is designed to detect embedded malware while it’s attempting to infect site visitors. We do this by sending out a massive army of virtual users that are configured to look and act like real human users on devices.
Each virtual user can emulate a computer or smartphone. Their purpose is to experience live websites as a real user would. If they become infected during a scan, they can pinpoint the source of the infection using full DOM capture to recreate the infection and rebuild the causality chain for forensics purposes.
In the SEA attack, the actual brands affected could set up up alerts through the real-time asset discovery tool in our RiskIQ for Web product. More importantly if and when this were a cyber attack used to spread dangerous malware, our virtual users would detect it and take pre-determined actions in order to eliminate the cyber threat.
For more information on the details of the account and RiskIQ’s take on it, see here.
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK