RiskIQ’s ‘Host Pairs’ Data Set Confirms Attack on Polish Banking Institutions

February 24, 2017, Mike Browning

Polish banking establishments have been under siege by threat actors installing unauthorized code on their websites and using those sites against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these attacks are part of a larger international hacking effort targeting financial institutions within the U.S., Mexico, and the United Kingdom—an attack that shares traits with the 2014 assault on Sony Corp linked to the Lazarus Group.

A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious payloads on selected targets.

The investigation used PassiveTotal, which generates its unique Host Pairs data set when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites, to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS “[http]://www[.]sap.misapor.ch/vishop/view.jsp?pagenum=1″ and  “https://www[.]eye-watch.in/design/fancybox/Pnf.action” via an iframe:

RiskIQ's Host Pairs dataset confirmed that the attacks against Polish banking institutions originated from external sources.

Fig-1 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber

Host pair connections can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing web site content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.

RiskIQ’s web-crawling infrastructure captured the iframe in question here:

RiskIQ's Host Pairs dataset confirmed that the attacks against Polish banking institutions originated from external sources.

Fig-2 Malicious iframe captured by RiskIQ’s crawling infrastructure redirecting traffic to malicious URLs

Why RiskIQ?

Since our inception, RiskIQ has been gathering petabytes of passive DNS and WHOIS data, and through our crawling of the entire internet, have amassed data sets that include SSL certificates, newly observed domains, web and analytics trackers, mobile apps, Host Pairs, and web components. These data sets can be used by security professionals and threat analysts to connect the dots between threat infrastructure and understand the attack vectors and patterns used by attackers.

To test these data sets out, sign up for RiskIQ Community Edition today

Share This