Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On September 18, 2014, RiskIQ detected credential-stealing malware being loaded onto users’ computers through a drive-by download at jQuery.com. The malware attack was carried out using RIG exploit kit to target visitors. RiskIQ was able to confirm with sources at several large organizations that users of jQuery.com were indeed redirected to this exploit kit.
The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. According to internal jQuery research, jQuery is used by 30% of websites on the entire Internet, including 70% of the top 10,000 websites in the world.
It’s important to note that we did not observe any changes within the jQuery library itself, which was likely unaffected by this compromise. However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises.
Typically, these individuals have privileged access to web properties, backend systems and other critical infrastructure. Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.
RIG was first uncovered in April 2014 and caught the attention of Cisco researchers in June. In the past, RiskIQ and Symantec researchers have observed RIG on popular websites such as askmen.com. Typically, RIG has been observed dropping banking trojans and other information stealers.
Planting malware on open source websites is not a new technique. These websites are high value targets due to the type of users that frequent them. Several other high profile, open source websites have had this issue in the past. For example, in 2013 PHP.net suffered similar problems, along with MySQL.com in 2011.
We recommend the following if you suspect a system has been affected by this campaign:
Using our site-scanning technology, we were able to detect a change within jQuery.com. Approximately 10-15 minutes after our system detected it, we analyzed the site and detected that a malicious script tag was added. This malicious script then added an invisible iframe that redirected users to RIG exploit kit, which is typically used to drop banking trojans as well as other information stealers.
Initial content added to jQuery.com:
This malicious redirector was hosted in Russia on a domain that was registered on September 18, the morning of the malware attack. We believe that this domain was intended specifically to blend into the website.
After verifying that the site was indeed redirecting users to a malware dropper, we immediately contacted jQuery.com to alert them to the malware attack. While they weren’t able to determine the root cause of the malware attack, the site’s administrators were addressing the issue.
Hitting this redirector, we continued to be redirected to the RIG exploit kit, even though we weren’t able to replicate the script injection on jQuery.com with subsequent requests.
As of this writing, jquery-cdn[.]com was still up and redirecting users to RIG exploit kit.
Information about the domain:
Domain Name: jquery-cdn[.]com
Created On: 2014-09-18
Expiration Date: 2015-09-18
jquery-cdn.com. 5774 IN A 126.96.36.199
Whois information on the hosting provider:
inetnum: 188.8.131.52 – 184.108.40.206
descr: Selectel Ltd.
status: ASSIGNED PA
source: RIPE # Filtered
The exploit kit is hosted at the same hosting provider:
woitp[.]bestburaco[.]com -> 220.127.116.11
inetnum: 18.104.22.168 – 22.214.171.124
descr: Selectel Network
Please download our detailed incident report and review these frequently asked questions for more information.
We will continue to monitor this situation and post any updates in this blog. In the meantime, jQuery.com users should scan their systems for malware.
Back to RiskIQ Blog
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK
The theme of this year's @cctxcanada 4th annual collaboration event is "Give and Take: Why helping others drives our success." RiskIQ's Geoff Roote explains the modern Internet Attack Surface and why defending the web is a collaborative community effort.