Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
The digital threat landscape offers threat actors a plethora of resources they can use to camouflage their activities and cover their tracks, such as swaths of cheap and readily available hosts and IPs that can be continually switched out and rotated. For this reason, successfully tracking suspicious activity requires as much data as threat researchers can get their hands on.
For example, in early May, RiskIQ noticed a spike in the number of blacklist incidents associated with certain web components; in this case, certain versions of PHP and NGINX. Having identified these suspect web components with a “bad reputation,” we were able to find all hosts running them and pair that information with our PDNS data to find a total of 42 distinct IP addresses. Notably, most of these hosts were clustered on five of these IP addresses:
Scanning each of these addresses revealed that they are all are dedicated to fake software scams, with host names such as “freechecknow[.]clickforultimateandbest2updatepc[.]download” and “upgrade4life[.]pressingupgradeforcontinue[.]info.”
Fig-1 A Sampling of scam hosts shown inside RiskIQ PassiveTotal
Fig-2 A sample host featuring fake “Adobe Flash out of date” messages
Our PDNS data further reveals that this scammer has been setting up hundreds of hosts per day, starting on April 19. Although they tried to hide their tracks behind privacy-protected WHOIS registration as well as isolate their hosts to only one IP each, web component analysis can connect the dots across IP addresses to distinguish a single, coordinated campaign.
Multiple web components and web component “profiling” can also be used to track other actors across domains and IP addresses. We wrote a short time ago about NoTrove, a prolific scam actor that uses thousands of domains and IPs to run its operations. We were able to track NoTrove through learning patterns of their operations and finding those patterns in our treasure trove of passive DNS and our scam detection engine, but another piece of the puzzle comes from web component detection.
Fig-3 A Notrove IP
Start Pivoting for Yourself
Internet data can be sorted, classified, and monitored over time to provide a complete picture of your attackers and their evolving techniques. Infrastructure chaining leverages the relationships between these highly connected data sets, such as web components and PDNS, to build out a thorough investigation. This process is the core of Threat Infrastructure Analysis and allows organizations to surface new connections, group similar attack activity, and substantiate assumptions during incident response.
With RiskIQ Community Edition, security teams can proactively address digital threats that are related to already observed events or alerts. Unique data sets in the RiskIQ PassiveTotal product does this by uncovering other infrastructure associated with a bad actor that might be previously unknown or difficult to associate. Security teams can block these connected sources, and set up monitors to alert on changes to that infrastructure that could indicate an impending attack.
To start pivoting on these data sets for yourself, try RiskIQ PassiveTotal Community Edition for free by visiting https://www.riskiq.com/community/.
It's near impossible to hide online. Even ‘stealth’ executives are at risk for serious security breaches https://t.co/MRKhZbAW7i
Nick Gicinto,Vice President, Executive Guardian @RiskIQ on stage #SINETCanada #cybersecurity @FSToronto, @SINETConnection
Automation: the key to fighting cybercriminals https://t.co/dkx9Y3NApF
Coming to CyberHub Summit? Find out how RiskIQ's internet-wide visibility and unmatched data are helping the c-suite cope with a rapidly changing cybersecurity landscape https://t.co/IMaU5tLJfc
Today! Visit us at booth #1486 at #GSX2019 to find out how RiskIQ #ExecutiveGuardian is giving today's top executives a continuous 360-degree view of their attack surface.