Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Threat actors’ primary objective is to drive as many downloads of their fake and compromised malicious mobile apps as possible. A tactic that’s proven to be extremely reliable in this regard is social engineering; leveraging holidays, current events, and important dates in threat campaigns to raise awareness of their apps. In August and September, the “back to school” theme begins trending, targeting kids and their families who are focusing on preparing for another school year.
A simple keyword search for ‘back to school’ inside the RiskIQ platform returns 9,343 active mobile apps, 1,182 (12.7%) of which are blacklisted. As you can see in the screenshot below, these apps come in many different languages and cover just about everything—games, informational services, device themes—even apps that help you “cheat on your exams”:
Fig-1 Malicious “back to school” apps in the RiskIQ platform
RiskIQ, which uses its crawling platform to monitor over 120 mobile app stores around the world while leveraging approximately 2 billion daily scanned resources to look for mobile apps in the wild, provides insight into how mobile threat actors are getting their “back to school” malicious apps to consumers. We found that the Google Play Store, which has a relatively good reputation but led app stores in total blacklisted applications in Q2, hosts 333 of the blacklisted “back to school” apps.
Here’s what to look for when trying to avoid these malicious apps.
Mobile threat actors use much of the same permissions to exploit users that benign applications use, so consumers should use permissions as clues to help them determine an app’s level of danger– by matching the permissions that they require with what the app purports to do. If an app’s permissions are not congruous with the functions it claims to provide, you should be suspicious. For example, does an app really need access to your phone calls, SMS messages, or billing to serve its purpose?
The mobile game below called “Salon: Back to School,” appears to be a typical mobile game, but it requests 16 different permissions, including access to billing. A quick check in the RiskIQ platform shows that it’s been blacklisted by five different antivirus vendors for android.InMobi adware:
Fig-2 Permissions listed in the blacklisted “Salon: Back to School” game
RiskIQ’s Threat Research Team sees a rise in free email services such as Hotmail, Gmail, and Yahoo! being used as the contact address for the developer of blacklisted applications. Consumers are advised to be aware of who they expect the app to come from, and verify that the contact of the app they’re downloading is legitimate. For instance, the contact for an app purporting to be from a well-known brand will not be “firstname.lastname@example.org.”
The app below called “Dress Up School Fashion” is blacklisted by ten different antivirus vendors for serving malware, adware, and Trojans. Its contact email is email@example.com:
Fig-3 “Dress Up School Fashion” has a sketchy contact email
Although many blacklisted apps have no contact email listed, consumers can still look at the developer to see if it’s a brand they recognize. If it’s not, or has a strange appearance or spelling, think twice before downloading. You can even do a Google search on the developer for more clues about its reputation.
Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling victims. For instance, despite being blacklisted, each of the apps listed above has tens of thousands of downloads.
Below is an app from the Google Play Store with thousands of downloads and excellent reviews. However, upon closer inspection, you can see that there’s something strange: the description is barely coherent. This extremely poor grammar highlights the haste of development and the lack of marketing professionalism and acumen that are hallmarks of mobile malware campaigns:
Fig-4 Despite rave reviews, something is amiss (and hard to read) with this app
While Google has acknowledged the issues with Android and has committed to fixing them, users are still exposed to risks—particularly those with older phones, with rooted phones, or who download applications from unofficial stores. The fact that thousands of these apps are live in popular stores like Google Play goes to show that consumers are largely left to their own discretion when determining if an app is safe.
Consumers are not the only ones threatened by malicious mobile apps during the back to school season. Brands are also targeted by threat actors who use their logos and branded terms fraudulently to fool people into downloading their apps. Therefore, brands should have a solution that can mitigate the impact and damage. With a proactive, store-first scanning mentality, RiskIQ External Threats’ mobile app monitoring observes and categorizes the threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, detonated, analyzed, and stored giving our customers crucial insight into how their brand appears in the mobile app ecosystem. RiskIQ also records changes and new versions of apps as they evolve.
Contact us for more about how RiskIQ can help defend your mobile attack surface.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting