Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
March 31, 2016, Jonas Edgeworth
A Story About Chocolate Bunnies, Walmart, and an Indian Crime Syndicate Known As the “Hangover” Group
On Easter Sunday, my mom made her traditional weekend phonecall to catch up on life and Facetime with my two daughters (to see their chocolate-bunny-covered faces). As we were talking, my mom casually mentioned that she had computer problems earlier in the week, and that the technical support representative was very nice and helpful. This statement immediately rang alarm bells in my head—I’m my mom’s technical support, and I had not provided any help recently.
Immediately, I started to interrogate my mom to assess the situation. Apparently, she had picked up her prescription from Walmart, and on the back of the receipt was a request to fill out a customer satisfaction survey at http://survey.walmart.com. Unfortunately, my mom mistyped the URL and went to the typosquatted domain http[:]//surveywalmart[.]com (notice the lack of a period between survey and walmart), where she was greeted with the following page:
My mother proceeded to panic and called the number listed in the modal popup. The polite customer service representative promptly calmed my mother down and socially engineered away her email address, mailing address, phone number, and the MAC address of her iPad. She also gave the associate her credit card number and worked with the individual to change several settings on her iPad.
After calling her credit card company to cancel my mom’s card and forcing her to travel down to the local Apple store to restore her iPad settings (instructing my mom to make these changes over the phone is an exercise in futility), it was time to take advantage of the wonderful set of RiskIQ tools at my fingertips. Hopefully, it was time to make operations a bit more painful for these actors.
Looking at surveywalmart[.]com in PassiveTotal (below), we can see several interesting data points:
First, we can see that the domain was registered back in 2009, and where it was parked up until November 10th of last year:
In November through late January, the domain was routable and resolvable to an IP address in Switzerland, then moved to an IP in Amazon Web Services (AWS). As seen in the screenshot above via open-source intelligence from Norman antivirus available directly through PassiveTotal (requiring no additional research), the older IP address is attributed to a group of India-based attackers dubbed “the Hangover group”:
Looking at WhoIS tab for the domain surveywalmart[.]com, we can see additional information that correlates to the Hangover group, namely the use of an Indian Registrar (Tirupati Domains and Hosting), registered using privacy protection:
We can also see several other domains that resolve to the same IP address:
Leveraging RiskIQ’s global virtual-user infrastructure, we crawled surveywalmart[.]com, which uncovered more details about the Hangover group’s infrastructure. Below, we see surveywalmart[.]com redirected to http[:]//nkqgy.voluumtrk.com:
Note that while voluumtrk[.]com associates to the Internet marketing company Codewise, the particular subdomain nkqgy.voluumtrk[.]com associates with other scareware/tech support scams within RiskIQ’s blacklist. For example, the below screenshot shows the threat sequence in which nkqgy.voluumtrk[.]com redirects to quiz-online[.]xyz, where this final URL presents the scam pop-up and attempts to leverage the vibrate mode to scare the victim:
Additionally, if we look back at my original screenshot, we can see that the site surveywalmart[.]com redirects to http[:]//apple-security-warning[.]info. Searching for apple-security-info[.]info in PassiveTotal returns the following:
As we can see, this domain started resolving two days ago. Again, pivoting based on IP, reveals that this IP is associated to at least another 133 domains, one of which is flagged as phishing in RiskIQ’s blacklist:
In a matter of minutes, I was able to leverage PassiveTotal and RiskIQ to build the additional context and indicators related to the Hangover group needed to take action as a security researcher, a brand owner (Walmart), or a domain management company (Neustar). RiskIQ has submitted both surveywalmart[.]com and apple-security-warning[.]info for browser-based blocking to both Google Safe Browsing and Microsoft’s SmartScreen browser filters to help protect consumers, but these malicious websites are still live at the point of writing this blog post. We recommend Walmart investigate the domain in question and take the appropriate action.
As one can see, this campaign has been simple and very effective at fleecing consumers at web-scale for quite some time, likely earning them a great deal of money. Fortunately for my mom (and her credit card company), I was able to intervene and help with this specific incident.
It’s important to note that Walmart is very much a victim in this situation as well: this incident is probably one of a thousand papercuts Walmart’s security team responds to on a daily basis related to fraud, which can add up to a much deeper wound. But by leveraging RiskIQ, I was easily able to identify a large portion of the Hangover group’s infrastructure that could be blocked and reported, impacting their ability to monetize and potentially deterring them from targeting more victims.