Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
When you get a chance, take a look at the top three news headlines. Whatever major events, developments or cultural phenomena you see there, you can be sure that threat actors are trying to exploit them for political or monetary gain.
So it’s no surprise that with Pokémon GO, Zika, and the Olympics firmly in the public conscience, there’s a breadth of cyber schemes aimed at leveraging their immense popularity. And one of the most common modus operandi for stealing sensitive data from unsuspecting users? Fraudulent mobile apps. Out of the millions of mobile apps RiskIQ crawls each day—in the major app stores like Google Play, Apple’s App Store, and Amazon, as well as third-party app stores and mobile carriers’ markets serving localized content to users around the word—thousands are fraudulent or otherwise malicious.
The Olympics: Getting torched
Threat actors are using the size, complexity, and dynamic nature of the global app store ecosystem to exploit well-known Olympic Games sponsors. In such a complex environment, it’s increasingly difficult for sponsoring organizations to monitor their mobile presence and protect their customers from fraud. Threat actors, realizing this lack of visibility by major sponsors, will create several—if not hundreds—of apps that mimic the original, offering games or other interactive experiences that ask users to provide financial data and other sensitive information.
Users are conditioned to grant app permissions to gain access to the content. Shady developers are happy to take advantage of this social conditioning.
It’s worth noting that even legitimate apps can be compromised, especially if they are not kept up to date. The story is always the same; every major sporting event—from the Super Bowl to the Olympics to the Copa America—leaves a graveyard of event-specific apps in their wake made by sponsors and completely forgotten about by all—except opportunistic threat actors. Eventually, these can be hacked and exploited at the organization’s expense.
Pokémon GO: Gotta hack ’em all
Once published, malicious mobile apps can rapidly proliferate from official stores throughout the app store ecosystem, spreading to new stores and web download locations without the developer’s knowledge or consent. The distribution of fraudulent Pokémon apps is broad—of the 2,100 malicious apps in one Pokémon search query inside RiskIQ, 364 of them are from an app store in China, while almost 300 are in Google Play.
These unofficial, third-party apps, such as “Helper for Pokémon GO”, in which players can crowdsource the Pokémon they can find in the game at a particular time, were created to leverage the Pokémon brand for nefarious purposes. The ratio of fraudulent Pokémon apps to authentic ones is extraordinarily high: one out of ten Pokémon apps is malicious, and of the 2,100 Pokémon apps we’ve found, 1,150 can steal information. These actors were so successful that at its peak of popularity, “Poké Radar” hit #2 on the Apple App Store, behind only Pokémon Go itself.
Zika: Not the only virus you have to worry about
RiskIQ has even found fake mobile apps exploiting the concern over the Zika epidemic in Brazil by offering “safety information” but delivering malware instead. The example below is a malicious app that was in the Android app store. It looks like a helpful way for people traveling to Rio can stay safe and informed, promising to send push notifications with crucial updates. However, it was blacklisted by RiskIQ for serving malware instead.
Fig-1 Just one of the many fraudulent apps in mainstream app stores.
Below is a similar app within the RiskIQ tool. In gritty detail, it lists the app’s attributes, many of which are clear indicators of its fraudulent nature.
Fig-2 Another Example of a Zika-related fraudulent app.
Apple’s review process is much more intense than other app stores, though Google began screening apps before they get pushed to Google Play in 2015. Still, it’s possible for apps like the one above to slip through the review process—and even top the charts.
There just too many savvy threat actors out there with the tools and know-how to take advantage of people and wreak havoc on their employers, and eventually the organization’s data. For security teams to defend their organizations against growing threats outside the firewall like fraudulent mobile apps, they must discover and monitor their entire attack surface so they can quickly identify, remediate, and investigate any threats that may surface.
But that’s not enough. These attackers use automation to launch sophisticated attacks at very low cost by rotating and reusing undetected infrastructure, so a security team’s visibility is mostly based on what they see on the corporate network. Once they detect a threat locally, the attacker has already moved, and they’re stuck playing catch up. Therefore, security teams must use the internet as a replacement for the corporate network, i.e. calling upon their own advanced analytics and machine learning to wield Internet datasets such as WHOIS and Passive DNS against adversaries to stay one step ahead of them.
Another Magecart group has started to compromise misconfigured S3 buckets! Please secure your buckets.
We detailed how to secure your S3 Buckets in our original reporting: https://t.co/QKrZqWV506
The Columbus, OH #ThreatHunting community is out in full force for today's workshop! Together, we're powering better investigations through data.
Some insights based on reporting by @RiskIQ: Beyond Wipro: Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools https://t.co/6Vxsnygp1z via @ooda
For today's executives, protecting your organization means protecting yourself—and knowing that personal security sits at the confluence of the physical and digital worlds. https://t.co/HShORi3X6j #ExecutiveProtection #ExecutiveSecurity
Overlap in RiskIQ's unique data sets uncovered a massive threat campaign using popular marketing and analytics tools to target gift card retailers, distributors, and processors. Here's what you need to know https://t.co/GkHsPFwkkd #ThreatIntelligence