Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Today’s post highlights a whole lot of bad stuff—and serves as an excellent example of how different cyber threat actor techniques link together in a single campaign.
This RiskIQ web crawl features domain infringement monitoring on our demo workspace that identifies a domain that has likely been compromised and rigged with a script tag to a malicious redirector known as Pseudo Darkleech, which we’ve covered here. The redirector, in turn, pushes this traffic to an instance of the RIG exploit kit.
Fig-1 The crawl of the domain infringement inside the RiskIQ tool
The first site in the sequence, compromised with the malicious script tag, looks like it belongs to an Italian music group. However, consumers may very well associate part of its URL with a certain well-known brand. Therefore, in this case, the domain infringement may not be deliberate, but nevertheless can be consequential for the brand.
Taking a look at this cyber threat actor’s infrastructure, we can see that “caponebungtbangt.com” wasn’t the only compromised site used in the attack. In PassiveTotal, RiskIQ’s cyber threat research tool, we can see the WHOIS data for the third site in the sequence, “rt.kathrynjalimanart.com”, the one hosting the exploit kit. With a convincing name and (ostensibly) real address, it seems to be a legitimate registration, which means the registrant was likely a victim of Domain Shadowing.
Fig-2 The WHOIS information for the site serving the RIG EK
Domain shadowing is a quick and efficient way for cyber threat actors to deploy a vast infrastructure by hijacking user accounts of existing, registered, and otherwise trustworthy web domain. Once they gain access, they can use the parent domain for cyber attacks and register a large number of unauthorized subdomains, which are difficult to detect because they are associated with the reputable compromised domain and often don’t follow any discernible pattern.
Pivoting on the registrant information in PassiveTotal, we can see that many of the domains belonging to this registrant seem to be related to skin care. Given that we know his GoDaddy account has been compromised, we must assume at least a few of these sites are being used by this cyber threat actor or others for similar nefarious purposes.
Fig-3 Other domains registered by Michael Jaliman, who is a victim of Domain Shadowing
Sure enough, the first domain I clicked on in PassiveTotal began resolving to a new IP address on March 3, 2015, which may indicate the domain fell into the wrong hands. Pivoting on that address, we see thousands of other domains resolving to it, many of which are flagged by Virustotal and blacklisted by RiskIQ.
Fig-4 Other malicious domains resolving to the same IP address
Stay safe out there
The domain infringement use case in which several cyber threat actor techniques cause unwitting users to associate a site that leads them to malware with a brand that holds value for a customer is important—and a valuable source of traffic in our crawler. As seen above, RiskIQ is well-suited to detect different each of the different techniques employed by the cyber threat actors in this post.
Questions? Feedback? Email email@example.com to contact our research team.
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK