Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Traffic is the lifeblood of the cybercrime ecosystem. It is a core commodity enabling cybercriminals to monetize their operations in various ways. For example, in our recent analysis of a fake Russian dating scheme, we observed that fraudsters used online ads to push web traffic to their sites and hijacked web browsers with adware to redirect victim computers. Meanwhile, other actors tap into traffic for much more illicit reasons, such as hijacking traffic from large advertising networks, carrying out phishing attacks, and distributing malware to vulnerable computers.
Many attackers take active steps to protect this source of revenue, utilizing various traffic and device filtering techniques to block out security researchers and optimize the type of traffic they receive. In today’s post, we’ll examine a campaign RiskIQ has been tracking for several weeks involving traffic monetization and filtering, obfuscation, and several thousand compromised web servers.
This particular campaign, which we have named CaesarV after its use of a Caesar cipher to obfuscate code on its pages that cause redirection, uses spam to generate traffic. Spam builds traffic by sending malicious URLs and attachments to a large number of contacts that may have been stolen from address books, harvested from websites, collected from data breach dumps, or purchased from various sellers and marketing database suppliers. When one of these recipients clicks the URL embedded in the spam email, they are sent to a page on a compromised web server which then distributes the traffic among several different scam pages.
Fig-1 Response body of a CaesarV page on a compromised server
Shown above is the response body from one of the CaesarV pages detected by RiskIQ. It contains a few interesting elements including the script (highlighted), which acts as a Caesar cipher. The variable castlesa=61 defines the shift for all of the numbers in the castlesb array, meaning each number in the castlesb array is a character code with 61 added to it. After deobfuscation, the character code array resolves to this redirection:
The result is an affiliate offer for a scam page using a fake news story to sell pills endorsed by Stephen Hawking that purport to improve intelligence.
Fig-2 Scam page redirected to via CaesarV. Also, how do you mistake Wolf Blitzer for Anderson Cooper?
Other observed redirections have landed on fake tech support scams, fake Flash update pages, fake diet pills, and other similarly scammy pages. Since RiskIQ began detecting this behavior, we’ve seen several thousand samples pointing to an equally high number of compromised web servers since at least the beginning of 2017—and possibly much longer.
The actor(s) responsible for CaesarV work by finding vulnerable servers, compromising them, and loading several files onto them, including the PHP files containing the CaesarV code. Analysis of a server hosting CaesarV showed that, following initial compromise, the file /tmp/rnd is written to disk and the perl process is spawned, which then removes the /tmp/rnd file. The perl process then downloads several PHP files from a remote host with the following response headers:
Fig-3 Response headers from remote CaesarV host
Following the download, the process opens listening TCP port 23213. Several inbound connections on this port are received from 126.96.36.199, which is running FTP on port 21, SSH on port 22, HTTP on port 81, and an unknown service on port 84.
188.8.131.52 AS29073 | NL | QUASINETWORKS
RiskIQ analyzed one of the PHP files loaded onto a server after initial compromise. This particular file is hardcoded to create the redirection page and attempts to perform other actions on the compromised server. The file includes an array of words from which the name of the variables in the Caesar cipher script is selected, as well as an array of numbers from which to select the shift for the character codes in the cipher.
There is also a function involving a cookie check and manipulation of htaccess files on the server. If the page is visited by a browser with the correct cookie set, the script will attempt to change permissions on htaccess files on the compromised server to make them writable and then delete them, possibly exposing restricted access in the server’s document root to allow access or to remove restrictions from directory paths.
Fig-4 Cookie and change permissions functions of PHP file loaded onto a compromised server
There is money to be made in a compromised server, and there are an awful lot of vulnerable servers out there waiting to be compromised. In the case of CaesarV, the value comes from the use of an enormous set of domains to which the actor can link for redirection of their spam-created traffic to scam sites. As long as there are vulnerable systems and means of monetizing their compromise, there will continue to be attacks that place them in the hands of malicious actors.
RiskIQ monitors this type of activity on a continual basis using our web data collection platform driven by virtual users and URL Intelligence services. Staying informed on the use of tactics such as these in the threat space is helpful in today’s battle to protect users and systems from external threats.
RiskIQ Community project.
Questions? Feedback? Email email@example.com to contact our research team.
Cyber-Risks Hiding Inside Mobile App Stores https://t.co/NeXSULKcb5 #mobile #mobileapp #googleplay #risk by @kellymsheridan
If you have a “c” in your title, you're a target both online and in the physical world. Here are 5 things to "know" about modern executive defense https://t.co/Nl3lrvEM7O
#PlayStore winning war on suspect apps https://t.co/Zw1yuLswXF
Blacklisted apps rise, antivirus apps prove more harm than good, and Google Play continues to set the trends. Download our Q1 Mobile Threat Landscape Report and 2018 review for a deep dive into the last 18 months of #MobileThreats: https://t.co/FipDUCA6wA
Check out my latest interview in Forensic Magazine: Cybercrime, Cybertargets, and Cybersecurity https://t.co/TNy7MhoUn2 @LauraMFrench @ForensicMag @RiskIQ #cybercrime #CyberSecurity #threathunting