The Forrester Wave™: Digital Risk Monitoring, Q3 2016 named RiskIQ a leader in Digital Risk Monitoring, and gave RiskIQ top ranking for Current Offering & Data Coverage.
Download the Report
Get vast internet data sets and advanced analytics to hunt digital threats and defend your company’s digital footprint.
Get RiskIQ Community Edition
Ovum Report—On The Radar: RiskIQ provides external digital threat defense—learn how RiskIQ helps businesses see, manage, and mitigate web, social, and mobile threats.
Get the Analyst Report
Understand how to stay ahead of scammers like NoTrove
Join the Threatcast™ on May 18 at 11 a.m. PT/2 p.m. ET.
Save Your Seat
September 23, 2014, Peter Zavlaris
On September 18, 2014, RiskIQ detected credential-stealing malware being loaded onto users’ computers through a drive-by download at jQuery.com. The attack was carried out using RIG exploit kit to target visitors. RiskIQ was able to confirm with sources at several large organizations that users of jQuery.com were indeed redirected to this exploit kit.
The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. According to internal jQuery research, jQuery is used by 30% of websites on the entire Internet, including 70% of the top 10,000 websites in the world.
It’s important to note that we did not observe any changes within the jQuery library itself, which was likely unaffected by this compromise. However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises.
Typically, these individuals have privileged access to web properties, backend systems and other critical infrastructure. Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.
RIG was first uncovered in April 2014 and caught the attention of Cisco researchers in June. In the past, RiskIQ and Symantec researchers have observed RIG on popular websites such as askmen.com. Typically, RIG has been observed dropping banking trojans and other information stealers.
Planting malware on open source websites is not a new technique. These websites are high value targets due to the type of users that frequent them. Several other high profile, open source websites have had this issue in the past. For example, in 2013 PHP.net suffered similar problems, along with MySQL.com in 2011.
We recommend the following if you suspect a system has been affected by this campaign:
Using our site-scanning technology, we were able to detect a change within jQuery.com. Approximately 10-15 minutes after our system detected it, we analyzed the site and detected that a malicious script tag was added. This malicious script then added an invisible iframe that redirected users to RIG exploit kit, which is typically used to drop banking trojans as well as other information stealers.
Initial content added to jQuery.com:
This malicious redirector was hosted in Russia on a domain that was registered on September 18, the morning of the attack. We believe that this domain was intended specifically to blend into the website.
After verifying that the site was indeed redirecting users to a malware dropper, we immediately contacted jQuery.com to alert them to the attack. While they weren’t able to determine the root cause of the attack, the site’s administrators were addressing the issue.
Hitting this redirector, we continued to be redirected to the RIG exploit kit, even though we weren’t able to replicate the script injection on jQuery.com with subsequent requests.
As of this writing, jquery-cdn[.]com was still up and redirecting users to RIG exploit kit.
Information about the domain:
Domain Name: jquery-cdn[.]com
Created On: 2014-09-18
Expiration Date: 2015-09-18
jquery-cdn.com. 5774 IN A 220.127.116.11
Whois information on the hosting provider:
inetnum: 18.104.22.168 – 22.214.171.124
descr: Selectel Ltd.
status: ASSIGNED PA
source: RIPE # Filtered
The exploit kit is hosted at the same hosting provider:
woitp[.]bestburaco[.]com -> 126.96.36.199
inetnum: 188.8.131.52 – 184.108.40.206
descr: Selectel Network
Please download our detailed incident report and review these frequently asked questions for more information.
We will continue to monitor this situation and post any updates in this blog. In the meantime, jQuery.com users should scan their systems for malware.
Back to RiskIQ Blog