Finding Scams Through Suspect Web Components

June 28, 2017, Steven Pon

The digital threat landscape offers threat actors a plethora of resources they can use to camouflage their activities and cover their tracks, such as swaths of cheap and readily available hosts and IPs that can be continually switched out and rotated. For this reason, successfully tracking suspicious activity requires as much data as threat researchers can get their hands on.

Researchers use comprehensive data sets such as Passive DNS (PDNS), which can indicate changes in threat infrastructure, and WHOIS, which indicates ownership of infrastructure, to track threat actors. However, other unique data can be equally, if not more, valuable in this pursuit. Aside from PDNS and WHOIS, RiskIQ also collects data on web components—the servers, frameworks, Javascript libraries, and more—that appear on hosts. With this information, we can further our analysis of the threat landscape while avoiding dead ends.

For example, in early May, RiskIQ noticed a spike in the number of blacklist incidents associated with certain web components; in this case, certain versions of PHP and NGINX. Having identified these suspect web components with a “bad reputation,” we were able to find all hosts running them and pair that information with our PDNS data to find a total of 42 distinct IP addresses. Notably, most of these hosts were clustered on five of these IP addresses:

163[.]172[.]207[.]173

163[.]172[.]224[.]23

163[.]172[.]225[.]211

163[.]172[.]226[.]191

163[.]172[.]228[.]115

Scanning each of these addresses revealed that they are all are dedicated to fake software scams, with host names such as “freechecknow[.]clickforultimateandbest2updatepc[.]download” and “upgrade4life[.]pressingupgradeforcontinue[.]info.”

With RiskIQ PassiveTotal, web components are helping researchers find and identify scam infrastructure comprised of thousands of rotating hosts and IPs.

Fig-1 A Sampling of scam hosts shown inside RiskIQ PassiveTotal

 

With RiskIQ PassiveTotal, web components are helping researchers find and identify scam infrastructure comprised of thousands of rotating hosts and IPs.

Fig-2 A sample host featuring fake “Adobe Flash out of date” messages

Our PDNS data further reveals that this scammer has been setting up hundreds of hosts per day, starting on April 19. Although they tried to hide their tracks behind privacy-protected WHOIS registration as well as isolate their hosts to only one IP each, web component analysis can connect the dots across IP addresses to distinguish a single, coordinated campaign.

Multiple web components and web component “profiling” can also be used to track other actors across domains and IP addresses. We wrote a short time ago about NoTrove, a prolific scam actor that uses thousands of domains and IPs to run its operations. We were able to track NoTrove through learning patterns of their operations and finding those patterns in our treasure trove of passive DNS and our scam detection engine, but another piece of the puzzle comes from web component detection.

As part of deploying such a huge number of sites, NoTrove needs to use much of the same infrastructure on each host. Researchers can use that to their advantage by searching for a web component profile matching their signature. For example, pivoting on the web component data set for hosts using a certain version of the Javascript library ext-core and a Microsoft-IIS v7.5 server, one can uncover thousands of matching scam hosts. With this additional analysis, our catalog of NoTrove hosts consists of over 3,000 distinct domains and over 4,500 distinct IPs.

With RiskIQ PassiveTotal, web components are helping researchers find and identify scam infrastructure comprised of thousands of rotating hosts and IPs.

Fig-3 A Notrove IP

Start Pivoting for Yourself

Internet data can be sorted, classified, and monitored over time to provide a complete picture of your attackers and their evolving techniques. Infrastructure chaining leverages the relationships between these highly connected data sets, such as web components and PDNS, to build out a thorough investigation. This process is the core of Threat Infrastructure Analysis and allows organizations to surface new connections, group similar attack activity, and substantiate assumptions during incident response.

With RiskIQ Community Edition, security teams can proactively address digital threats that are related to already observed events or alerts. Unique data sets in the RiskIQ PassiveTotal product does this by uncovering other infrastructure associated with a bad actor that might be previously unknown or difficult to associate. Security teams can block these connected sources, and set up monitors to alert on changes to that infrastructure that could indicate an impending attack.

To start pivoting on these data sets for yourself, try RiskIQ PassiveTotal Community Edition for free by visiting https://www.riskiq.com/community/.

Share This