Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
October 16, 2017, Brandon Dixon
Below, you can see the redirection sequence chain captured by RiskIQ showing the redirect from the compromised Equifax page to the one serving the Flash update:
Fig-1 The malvertising sequence detected by RiskIQ
This related PassiveTotal query showing redirections for the ostats[.]net domain: https://community.riskiq.com/search/ostats.net
In the malvertising chain above, several hosts are used to redirect the user from website to website until they land on the final page delivering the malicious flash download, cdn.centerbluray.info. Fortunately, RiskIQ virtual user technology was able to capture each one of these redirections including dependent requests, page content and header information, and save them within the database:
Fig-2 Each redirection captured by RiskIQ
Lost Referrer attempts to scrub the true source of the traffic. Hackers may be attempting to protect the vulnerable server or fraudulently mark the source of the traffic as their site ( 1freewebhosting.org ):
Fig-3 Lost Referrer
Redirection chains like this are typical for actors who hijack traffic as each visit gains them potential click profit. What’s notable about these types of attacks is that they seldom impact just one web property and instead, affect whoever is using the third-party web component. While Equifax was indeed caught in this mess, they are not the only ones.
Data from the RiskIQ crawlers is exposed within PassiveTotal under our “host pairs” tab. In viewing ostats.net, it’s clear to see that several other legitimate websites including Equifax are redirecting through this redirection chain. Unfortunately, attacks like this are all too common online and often go unnoticed unless it’s a major brand. It’s important for organizations to realize the risk in 3rd-party code and truly understand their externally facing digital footprint; without visibility, anyone could easily become the next Equifax of the week.
Parent Host Pairs show other sites affected by this redirection attack campaign:
Fig-4 Other sites affected by this campaign
We recognize the difficulty in detecting these types of attacks, that’s why we built technology to address this challenge. For years, RiskIQ has been the leader in Digital Threat Management and has always taken the position of you can’t defend what you don’t know about. Leveraging virtual users, globally placed sensors, and regular Internet scans, RiskIQ builds an accurate inventory of all your externally facing assets and continuously monitors them for threats or compliance issues.
In this particular case, RiskIQ customers who use our Digital Footprint product would have been alerted to malicious activity on one of their sites via a malware event. These events are detailed and include full crawl details, enrichment data, and context around the suspicious event. Being alerted to a compromise in near real-time means affords our customers the ability to take action quickly.
The infrastructure used in this attack will remain blacklisted within RiskIQ products until our virtual users stop identifying malicious behavior. For those within our community products, we’ve made this information available through those portals in the form of a tag and public project that includes a complete list of network indicators associated with this campaign.