Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
February 24, 2017, Mike Browning
Polish banking establishments have been under siege by threat actors installing unauthorized code on their websites and using those sites against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these attacks are part of a larger international hacking effort targeting financial institutions within the U.S., Mexico, and the United Kingdom—an attack that shares traits with the 2014 assault on Sony Corp linked to the Lazarus Group.
A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious payloads on selected targets.
The investigation used PassiveTotal, which generates its unique Host Pairs data set when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites, to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS “[http]://www[.]sap.misapor.ch/vishop/view.jsp?pagenum=1″ and “https://www[.]eye-watch.in/design/fancybox/Pnf.action” via an iframe:
Fig-1 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber
Host pair connections can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing web site content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.
RiskIQ’s web-crawling infrastructure captured the iframe in question here:
Fig-2 Malicious iframe captured by RiskIQ’s crawling infrastructure redirecting traffic to malicious URLs
Since our inception, RiskIQ has been gathering petabytes of passive DNS and WHOIS data, and through our crawling of the entire internet, have amassed data sets that include SSL certificates, newly observed domains, web and analytics trackers, mobile apps, Host Pairs, and web components. These data sets can be used by security professionals and threat analysts to connect the dots between threat infrastructure and understand the attack vectors and patterns used by attackers.
To test these data sets out, sign up for RiskIQ Community Edition today.