Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Polish banking establishments have been under siege by threat actors installing unauthorized code on their websites and using those sites against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these attacks are part of a larger international hacking effort targeting financial institutions within the U.S., Mexico, and the United Kingdom—an attack that shares traits with the 2014 assault on Sony Corp linked to the Lazarus Group.
A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious payloads on selected targets.
The investigation used PassiveTotal, which generates its unique Host Pairs data set when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites, to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS “[http]://www[.]sap.misapor.ch/vishop/view.jsp?pagenum=1″ and “https://www[.]eye-watch.in/design/fancybox/Pnf.action” via an iframe:
Fig-1 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber
Host pair connections can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing web site content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.
RiskIQ’s web-crawling infrastructure captured the iframe in question here:
Fig-2 Malicious iframe captured by RiskIQ’s crawling infrastructure redirecting traffic to malicious URLs
Since our inception, RiskIQ has been gathering petabytes of passive DNS and WHOIS data, and through our crawling of the entire internet, have amassed data sets that include SSL certificates, newly observed domains, web and analytics trackers, mobile apps, Host Pairs, and web components. These data sets can be used by security professionals and threat analysts to connect the dots between threat infrastructure and understand the attack vectors and patterns used by attackers.
To test these data sets out, sign up for RiskIQ Community Edition today.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
🛡️#CyberSecurityBrief #Alert: @FTC Refunds Victims Of @OfficeDepot Tech Support Scam via @BleepinComputer @AthertonLab #CyberSecurity #InfoSec #Malware #Ransomware #DDoS #DataBreach #ITsecurity #CyberThreats #CloudSecurity #CyberSecurityInsights https://cybersecurityinsights.substack.com/p/your-friday-morning-cybersecurity?r=63k3&utm_campaign=post&utm_medium=web&utm_source=twitter
At #RSAC2020, stop by the @CrowdStrike booth on Tuesday at 11:30 to see the RiskIQ Illuminate app in action! It analyzes CrowdStrike endpoint coverage and compares it to RiskIQ's unmatched external data to provide a 360-degree view of your attack surface: https://bit.ly/2ujagwt
Credit Card Skimmer Found on Nine Sites, Researchers Ignored - by @Ionut_Ilascu
Looking for plans in San Francisco Monday night during #RSAC 2020? You're invited to party with RiskIQ at IGNITE, hosted by @FlashpointIntel! RSVP today: https://bit.ly/2R1SPJe