At RiskIQ, our research team works to uncover new external threats around the world, as well as track the evolution of well-known ones. I was looking at this particular crawl as part of the external threats hunting initiative we’ve undertaken over the last month. The page in question was only up for one day (seems legit, right?), as you can see in the PassiveTotal query below:
But, when we look at the DOM provided in the crawl inside RiskIQ, you can see that there are a couple of addresses we can investigate further:
First, there’s an Imgur (one of my favorite ways to waste time on the internet) page hosting a .png file that our suspect page was using for its background:
Sweet! Super intriguing content and all I have to do is log in to Facebook? I can do that! Here we go...
Here's what comes up:
Darn. I really wanted to see what that amazing graphic content was all about. Now threat actors have my Facebook login credentials, and here I am completely graphic contentless.
Oh well, I think we can safely say that RiskIQ now has at least two sites we can blacklist (not Imgur, I need those re-posts!), and probably a whole bunch of others if we pivot on the IP in PassiveTotal:
Just as I thought—plenty of funny business going on.
Remember, if you wanted more detailed, proprietary RiskIQ info on the host history—the full crawl/traversal, DOM capture, etc.—you will still want to query RiskIQ’s global blacklist, or zlist, APIs, for external threat intel enrichment data.
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.