Labs

Shhhh, Be Very, Very Quiet, I’m Hunting External Threats…

At RiskIQ, our research team works to uncover new external threats around the world, as well as track the evolution of well-known ones. I was looking at this particular crawl as part of the external threats hunting initiative we’ve undertaken over the last month. The page in question was only up for one day (seems legit, right?), as you can see in the PassiveTotal query below:

PassiveTotal Query

But, when we look at the DOM provided in the crawl inside RiskIQ, you can see that there are a couple of addresses we can investigate further:

DOM

First, there’s an Imgur (one of my favorite ways to waste time on the internet) page hosting a .png file that our suspect page was using for its background:

Imgur 1

Sweet! Super intriguing content and all I have to do is log in to Facebook? I can do that! Here we go...

imgur 2

Here's what comes up:

graphic content was removed

Darn. I really wanted to see what that amazing graphic content was all about. Now threat actors have my Facebook login credentials, and here I am completely graphic contentless.

Oh well, I think we can safely say that RiskIQ now has at least two sites we can blacklist (not Imgur, I need those re-posts!), and probably a whole bunch of others if we pivot on the IP in PassiveTotal:

Screen Shot 2016-08-22 at 11.46.14 AM

Just as I thought—plenty of funny business going on.

Remember, if you wanted more detailed, proprietary RiskIQ info on the host history—the full crawl/traversal, DOM capture, etc.—you will still want to query RiskIQ’s global blacklist, or zlist, APIs, for external threat intel enrichment data.

Questions? Feedback? Email research-feedback@riskiq.net to contact our research team.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor