Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
The digital threat landscape offers threat actors a plethora of resources they can use to camouflage their activities and cover their tracks, such as swaths of cheap and readily available hosts and IPs that can be continually switched out and rotated. For this reason, successfully tracking suspicious activity requires as much data as threat researchers can get their hands on.
For example, in early May, RiskIQ noticed a spike in the number of blacklist incidents associated with certain web components; in this case, certain versions of PHP and NGINX. Having identified these suspect web components with a “bad reputation,” we were able to find all hosts running them and pair that information with our PDNS data to find a total of 42 distinct IP addresses. Notably, most of these hosts were clustered on five of these IP addresses:
Scanning each of these addresses revealed that they are all are dedicated to fake software scams, with host names such as “freechecknow[.]clickforultimateandbest2updatepc[.]download” and “upgrade4life[.]pressingupgradeforcontinue[.]info.”
Fig-1 A Sampling of scam hosts shown inside RiskIQ PassiveTotal
Fig-2 A sample host featuring fake “Adobe Flash out of date” messages
Our PDNS data further reveals that this scammer has been setting up hundreds of hosts per day, starting on April 19. Although they tried to hide their tracks behind privacy-protected WHOIS registration as well as isolate their hosts to only one IP each, web component analysis can connect the dots across IP addresses to distinguish a single, coordinated campaign.
Multiple web components and web component “profiling” can also be used to track other actors across domains and IP addresses. We wrote a short time ago about NoTrove, a prolific scam actor that uses thousands of domains and IPs to run its operations. We were able to track NoTrove through learning patterns of their operations and finding those patterns in our treasure trove of passive DNS and our scam detection engine, but another piece of the puzzle comes from web component detection.
Fig-3 A Notrove IP
Start Pivoting for Yourself
Internet data can be sorted, classified, and monitored over time to provide a complete picture of your attackers and their evolving techniques. Infrastructure chaining leverages the relationships between these highly connected data sets, such as web components and PDNS, to build out a thorough investigation. This process is the core of Threat Infrastructure Analysis and allows organizations to surface new connections, group similar attack activity, and substantiate assumptions during incident response.
With RiskIQ Community Edition, security teams can proactively address digital threats that are related to already observed events or alerts. Unique data sets in the RiskIQ PassiveTotal product does this by uncovering other infrastructure associated with a bad actor that might be previously unknown or difficult to associate. Security teams can block these connected sources, and set up monitors to alert on changes to that infrastructure that could indicate an impending attack.
To start pivoting on these data sets for yourself, try RiskIQ PassiveTotal Community Edition for free by visiting https://www.riskiq.com/community/.
If you have a “c” in your title, you're a target both online and in the physical world. Here are 5 things to "know" about modern executive defense https://t.co/Nl3lrvEM7O
#PlayStore winning war on suspect apps https://t.co/Zw1yuLswXF
Blacklisted apps rise, antivirus apps prove more harm than good, and Google Play continues to set the trends. Download our Q1 Mobile Threat Landscape Report and 2018 review for a deep dive into the last 18 months of #MobileThreats: https://t.co/FipDUCA6wA
Check out my latest interview in Forensic Magazine: Cybercrime, Cybertargets, and Cybersecurity https://t.co/TNy7MhoUn2 @LauraMFrench @ForensicMag @RiskIQ #cybercrime #CyberSecurity #threathunting
If you're at #GartnerSEC be sure to stop by booth #623 to chat with RiskIQ about attack surface management and defending your organization in the age of threats outside the firewall!