Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Below, you can see the redirection sequence chain captured by RiskIQ showing the redirect from the compromised Equifax page to the one serving the Flash update:
Fig-1 The malvertising sequence detected by RiskIQ
This related PassiveTotal query showing redirections for the ostats[.]net domain: https://community.riskiq.com/search/ostats.net
In the malvertising chain above, several hosts are used to redirect the user from website to website until they land on the final page delivering the malicious flash download, cdn.centerbluray.info. Fortunately, RiskIQ virtual user technology was able to capture each one of these redirections including dependent requests, page content and header information, and save them within the database:
Fig-2 Each redirection captured by RiskIQ
Lost Referrer attempts to scrub the true source of the traffic. Hackers may be attempting to protect the vulnerable server or fraudulently mark the source of the traffic as their site ( 1freewebhosting.org ):
Fig-3 Lost Referrer
Redirection chains like this are typical for actors who hijack traffic as each visit gains them potential click profit. What’s notable about these types of attacks is that they seldom impact just one web property and instead, affect whoever is using the third-party web component. While Equifax was indeed caught in this mess, they are not the only ones.
Data from the RiskIQ crawlers is exposed within PassiveTotal under our “host pairs” tab. In viewing ostats.net, it’s clear to see that several other legitimate websites including Equifax are redirecting through this redirection chain. Unfortunately, attacks like this are all too common online and often go unnoticed unless it’s a major brand. It’s important for organizations to realize the risk in 3rd-party code and truly understand their externally facing digital footprint; without visibility, anyone could easily become the next Equifax of the week.
Parent Host Pairs show other sites affected by this redirection attack campaign:
Fig-4 Other sites affected by this campaign
We recognize the difficulty in detecting these types of attacks, that’s why we built technology to address this challenge. For years, RiskIQ has been the leader in Digital Threat Management and has always taken the position of you can’t defend what you don’t know about. Leveraging virtual users, globally placed sensors, and regular Internet scans, RiskIQ builds an accurate inventory of all your externally facing assets and continuously monitors them for threats or compliance issues.
In this particular case, RiskIQ customers who use our Digital Footprint product would have been alerted to malicious activity on one of their sites via a malware event. These events are detailed and include full crawl details, enrichment data, and context around the suspicious event. Being alerted to a compromise in near real-time means affords our customers the ability to take action quickly.
The infrastructure used in this attack will remain blacklisted within RiskIQ products until our virtual users stop identifying malicious behavior. For those within our community products, we’ve made this information available through those portals in the form of a tag and public project that includes a complete list of network indicators associated with this campaign.
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK
The theme of this year's @cctxcanada 4th annual collaboration event is "Give and Take: Why helping others drives our success." RiskIQ's Geoff Roote explains the modern Internet Attack Surface and why defending the web is a collaborative community effort.
State-sponsored social engineering: how you can protect your business from Iranian #CyberThreats https://t.co/uoI0wG2Pje #ThreatIntelligence