Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
In the subsequent days following the initial discovery of RIG exploit kit on jQuery.com, RiskIQ has been working directly with jQuery Foundation to help them confirm the incident. Today (September 24, 2014) jQuery reported about the incident on Twitter and confirmed that a compromise had taken place. There are also outside reports that a defacement took place, and this claim has been confirmed by several sources. We can see in a screenshot, posted by Reddit user etbusch, that a line from the defacement that was displayed on the API documentation site (api.jquery.com) reads: “I’m looking for a new job, I’m so sorry for this experiment with iframe, no one was injured, all files was permanently deleted.”
This seems to indicate that the original attacker posted that, along with his public key, as a last ditch effort. However, there is no hard proof that this individual was the one who originally injected the script tags. Because api.jquery.com is hosted on the same server as jquery.com, these incidents are likely related.
The purpose of going public with the discovery when RiskIQ did was to ensure that the problems were resolved before more harm could be done. One of the main concerns is that the users traversing jQuery.com tend to be individuals with privileged access to vital systems, increasing the urgency to alert these users.
We felt that although jQuery confirmed the incident, it was important to give all jQuery.com users a chance to check their systems. Once again, the following is RiskIQ’s recommendation for remediation of an infected system:
RiskIQ was certain of the attack because of the consistency of the information collected by our virtualized user system during its web crawl, as well as our significant analysis into the exploit kits themselves. RiskIQ virtual users mimic customer interaction on a global scale to detect risk to your customers and brand from the Outside The Firewall perspective. During a web crawl on the day of the incident, RiskIQ detected an attempt to exploit our web crawler. Because we save the raw content that we receive from websites that we browse, we were able to definitively determine that it came from jQuery.com. We verified these findings with several Fortune 100 companies that had seen the jquery-cdn.com domain with a referrer of jquery.com in their proxy logs:
Specifically, we saw an injected script tag on the main site that then loaded an iframe, which redirected to the exploit kit. The site that was being used to redirect users to the malware was jquery-cdn[.]com. This domain was stood up the day the attack was injected, and it was hosted in Eastern Europe. It should be clear that the jQuery team does not own this, and this is not their CDN for serving up the library.
The sequence of events can be seen here.
Additionally, the security vendor OpenDNS picked up a spike of traffic during the timeframe we discussed that seems to indicate that they also saw traffic being sent to the redirector.
It’s important to note that the type of attack that occurred is extremely difficult to detect and that jQuery Foundation engineers have been working diligently on this issue. They immediately took measures to address the servers in question when we first reached out and were responsible in their disclosure on their blog. jQuery was naturally skeptical as they were unable to detect the malware themselves, but we commend them for taking the responsible approach.
As websites continue to scale and more digital transactions involving the personal information of real individuals occur, the opportunity to exploit these areas will continue to grow. The impact will have serious consequences if not properly addressed.
Back to RiskIQ Blog
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK
The theme of this year's @cctxcanada 4th annual collaboration event is "Give and Take: Why helping others drives our success." RiskIQ's Geoff Roote explains the modern Internet Attack Surface and why defending the web is a collaborative community effort.
State-sponsored social engineering: how you can protect your business from Iranian #CyberThreats https://t.co/uoI0wG2Pje #ThreatIntelligence