Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
When you get a chance, take a look at the top three news headlines. Whatever major events, developments or cultural phenomena you see there, you can be sure that threat actors are trying to exploit them for political or monetary gain.
So it’s no surprise that with Pokémon GO, Zika, and the Olympics firmly in the public conscience, there’s a breadth of cyber schemes aimed at leveraging their immense popularity. And one of the most common modus operandi for stealing sensitive data from unsuspecting users? Fraudulent mobile apps. Out of the millions of mobile apps RiskIQ crawls each day—in the major app stores like Google Play, Apple’s App Store, and Amazon, as well as third-party app stores and mobile carriers’ markets serving localized content to users around the word—thousands are fraudulent or otherwise malicious.
The Olympics: Getting torched
Threat actors are using the size, complexity, and dynamic nature of the global app store ecosystem to exploit well-known Olympic Games sponsors. In such a complex environment, it’s increasingly difficult for sponsoring organizations to monitor their mobile presence and protect their customers from fraud. Threat actors, realizing this lack of visibility by major sponsors, will create several—if not hundreds—of apps that mimic the original, offering games or other interactive experiences that ask users to provide financial data and other sensitive information.
Users are conditioned to grant app permissions to gain access to the content. Shady developers are happy to take advantage of this social conditioning.
It’s worth noting that even legitimate apps can be compromised, especially if they are not kept up to date. The story is always the same; every major sporting event—from the Super Bowl to the Olympics to the Copa America—leaves a graveyard of event-specific apps in their wake made by sponsors and completely forgotten about by all—except opportunistic threat actors. Eventually, these can be hacked and exploited at the organization’s expense.
Pokémon GO: Gotta hack ’em all
Once published, malicious mobile apps can rapidly proliferate from official stores throughout the app store ecosystem, spreading to new stores and web download locations without the developer’s knowledge or consent. The distribution of fraudulent Pokémon apps is broad—of the 2,100 malicious apps in one Pokémon search query inside RiskIQ, 364 of them are from an app store in China, while almost 300 are in Google Play.
These unofficial, third-party apps, such as “Helper for Pokémon GO”, in which players can crowdsource the Pokémon they can find in the game at a particular time, were created to leverage the Pokémon brand for nefarious purposes. The ratio of fraudulent Pokémon apps to authentic ones is extraordinarily high: one out of ten Pokémon apps is malicious, and of the 2,100 Pokémon apps we’ve found, 1,150 can steal information. These actors were so successful that at its peak of popularity, “Poké Radar” hit #2 on the Apple App Store, behind only Pokémon Go itself.
Zika: Not the only virus you have to worry about
RiskIQ has even found fake mobile apps exploiting the concern over the Zika epidemic in Brazil by offering “safety information” but delivering malware instead. The example below is a malicious app that was in the Android app store. It looks like a helpful way for people traveling to Rio can stay safe and informed, promising to send push notifications with crucial updates. However, it was blacklisted by RiskIQ for serving malware instead.
Fig-1 Just one of the many fraudulent apps in mainstream app stores.
Below is a similar app within the RiskIQ tool. In gritty detail, it lists the app’s attributes, many of which are clear indicators of its fraudulent nature.
Fig-2 Another Example of a Zika-related fraudulent app.
Apple’s review process is much more intense than other app stores, though Google began screening apps before they get pushed to Google Play in 2015. Still, it’s possible for apps like the one above to slip through the review process—and even top the charts.
There just too many savvy threat actors out there with the tools and know-how to take advantage of people and wreak havoc on their employers, and eventually the organization’s data. For security teams to defend their organizations against growing threats outside the firewall like fraudulent mobile apps, they must discover and monitor their entire attack surface so they can quickly identify, remediate, and investigate any threats that may surface.
But that’s not enough. These attackers use automation to launch sophisticated attacks at very low cost by rotating and reusing undetected infrastructure, so a security team’s visibility is mostly based on what they see on the corporate network. Once they detect a threat locally, the attacker has already moved, and they’re stuck playing catch up. Therefore, security teams must use the internet as a replacement for the corporate network, i.e. calling upon their own advanced analytics and machine learning to wield Internet datasets such as WHOIS and Passive DNS against adversaries to stay one step ahead of them.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting