Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Phishing is still one of the most relentless and quickly evolving online threats facing today’s businesses.
At RiskIQ, we process tons of web-related threat data, including phishing incidents. From various sources, we receive URLs which may be indicative of phishing, examine the pages with our web-crawling infrastructure, which experiences them as a real user would, and feed the data it collects through our machine-learning technology to classify each detected phishing page appropriately.
Phishing pages’ infrastructure usually takes two forms: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else. Below is an instance of a phishing page for email involving the latter. It’s somewhat generic, but an excellent example of something commonly leveled against businesses:
Fig-1 Phishing page
Looking through some sources online, I dug up some additional instances of this phishing kit:
As you can see, there seems to be a theme in the names of these phish examples, with each URL containing ‘sendmail.’ Also, each phish appears very similar in their design.
At RiskIQ, when we explore these pages, we first check if the host is compromised (the majority are) and if so, find where the compromise happened. There are some obvious ones, of course, such as when there’s a ‘/wp-admin/‘ path in the URL, which indicates it’s likely a WordPress instance. In the phish above, when removing the trailing filename ‘index2.htm,’ from its URL, some of the hosts reveal the structure of the phishing kit:
Fig-2 Phishing kit structure
There are three files—index2.htm, sub.php, and rop.php—for which we can find a reference to ‘rop.php’ in the crawl linked at the beginning of this report. The source of the phishing page shows that it sends its stolen credentials to this script via a POST request:
Fig-3 Script to which stolen credentials are sent as captured by RiskIQ Crawlers
This leaves us with sub.php from which we have no idea of its functionality. Digging through more instances of this phishing kit, we found another directory index, only this time the live instance of the phishing kit was gone—however, the actor left his install!
Fig-4 Phishing kit install
We can pull down the disruptive.zip file and take a look; it contains all three files we found in the directory listing above. Let’s take a look at rop.php‘s source code:
Fig-5 Source code
We can see the general method of credential exfiltration, used in the majority of phishing kits, send out an email with the credentials. We find the criminal’s exfiltration email address, firstname.lastname@example.org. We can also see the usage of sub.php where a user is redirected after the credentials are emailed out and which contains the following:
This script redirects victims to a specific page on the Microsoft Windows website. Digging through more of instances of this phishing kit we found another case where a zip file was left:
Fig-7 Phish kit structure containing a zip file
In this one, we also saw an email address in rop.php which had some interesting ties to our data. The email address we uncovered was email@example.com, which you can find in PassiveTotal’s WHOIS search linked to one single domain:
Fig-8 WHOIS for firstname.lastname@example.org
The website itself has had quite a few IP resolutions but currently isn’t functional. What is interesting is that the domain name closely matches a Florida based law firm named ‘McClean Law Group’ and their domain, mccleanlawgroup.com. We haven’t found anything linking these two websites other than their name, nor do we have any insight into what the website looked like if it was ever a working site at all—something to keep an eye on.
Knowing your Risk
RiskIQ provides access to our unique phishing detection capabilities with our External Threats product line. Knowing your phishing risk is only half the battle; our product line offers real-time monitoring and web enforcement capabilities. Protect your assets with RiskIQ’s industry-leading security intelligence.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting