To pinpoint a perpetrator, detectives always look for common clues that are present at the scenes of similar crimes. Likewise, when researching cyber threats, it helps to look upstream at host attributes that commonly associate with known malicious content.
By matching redirectors with known malicious content, it becomes far easier to predict what's malicious and what isn't. That's why RiskIQ's data science team created our Associated List, or "A-List", a data feed that makes our machine learning progressively better at programmatically scoring URLs to help cyber threat researchers sniff out malicious and suspicious redirects.
The following crawl came from looking at the A-List results that are in the RiskIQ blacklist suspects. The blacklist suspect below shows an A-List item that flagged ‘info-apps[.]xyz’ with a 38% chance of being a redirector. It sends victims to download a potentially unwanted program (PUP) that claims to optimize their mobile device:
This crawl, visible to RiskIQ customers, shows the rest of the content, which illustrates a good hit. The following screenshot was taken from the “causes” tab of the page that encourages users to download this shady application, which indeed shows the malicious URL in the redirect sequence:
Here’s the Document Object Model (DOM) from the crawl, featuring quite a convincing appeal to users to click on the link. It shows the cyber threat actors extolling the virtues of their PUP, urging users to download “Super B Cleaner.” Apparently, it can “boost your phone to make phone faster by 50% and save battery by 20%.”
As our A-List grows, our machine learning becomes smarter, which means customers become better at identifying cyber threats with fewer false positives. I'm excited to see just how much the A-List will improve detection upstream.
Stay safe out there—and remember, “Enjoy the best Android and game experience, only at Super B Cleaner.”
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.