Executive Guardian
Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On September 18, 2014, RiskIQ detected credential-stealing malware being loaded onto users’ computers through a drive-by download at jQuery.com. The malware attack was carried out using RIG exploit kit to target visitors. RiskIQ was able to confirm with sources at several large organizations that users of jQuery.com were indeed redirected to this exploit kit.
The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. According to internal jQuery research, jQuery is used by 30% of websites on the entire Internet, including 70% of the top 10,000 websites in the world.
It’s important to note that we did not observe any changes within the jQuery library itself, which was likely unaffected by this compromise. However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises.
Typically, these individuals have privileged access to web properties, backend systems and other critical infrastructure. Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.
RIG was first uncovered in April 2014 and caught the attention of Cisco researchers in June. In the past, RiskIQ and Symantec researchers have observed RIG on popular websites such as askmen.com. Typically, RIG has been observed dropping banking trojans and other information stealers.
Planting malware on open source websites is not a new technique. These websites are high value targets due to the type of users that frequent them. Several other high profile, open source websites have had this issue in the past. For example, in 2013 PHP.net suffered similar problems, along with MySQL.com in 2011.
We recommend the following if you suspect a system has been affected by this campaign:
Technical Details:
Using our site-scanning technology, we were able to detect a change within jQuery.com. Approximately 10-15 minutes after our system detected it, we analyzed the site and detected that a malicious script tag was added. This malicious script then added an invisible iframe that redirected users to RIG exploit kit, which is typically used to drop banking trojans as well as other information stealers.
Initial content added to jQuery.com:
Redirection Sequence:
This malicious redirector was hosted in Russia on a domain that was registered on September 18, the morning of the malware attack. We believe that this domain was intended specifically to blend into the website.
After verifying that the site was indeed redirecting users to a malware dropper, we immediately contacted jQuery.com to alert them to the malware attack. While they weren’t able to determine the root cause of the malware attack, the site’s administrators were addressing the issue.
Hitting this redirector, we continued to be redirected to the RIG exploit kit, even though we weren’t able to replicate the script injection on jQuery.com with subsequent requests.
As of this writing, jquery-cdn[.]com was still up and redirecting users to RIG exploit kit.
Information about the domain:
Domain Name: jquery-cdn[.]com
Created On: 2014-09-18
Expiration Date: 2015-09-18
Hosted at:
jquery-cdn.com. 5774 IN A 46.182.31.77
Whois information on the hosting provider:
inetnum: 46.182.28.0 – 46.182.31.255
netname: SELECTEL-NET
descr: Selectel Ltd.
country: RU
admin-c: AKME
tech-c: AKME
status: ASSIGNED PA
mnt-by: MNT-SELECTEL
source: RIPE # Filtered
The exploit kit is hosted at the same hosting provider:
woitp[.]bestburaco[.]com -> 31.186.100.67
inetnum: 31.186.100.0 – 31.186.103.255
descr: Selectel Network
admin-c: akme
tech-c: akme
Please download our detailed incident report and review these frequently asked questions for more information.
We will continue to monitor this situation and post any updates in this blog. In the meantime, jQuery.com users should scan their systems for malware.
Back to RiskIQ Blog
RiskIQFollow
It's near impossible to hide online. Even ‘stealth’ executives are at risk for serious security breaches https://t.co/MRKhZbAW7i
Nick Gicinto,Vice President, Executive Guardian @RiskIQ on stage #SINETCanada #cybersecurity @FSToronto, @SINETConnection
Automation: the key to fighting cybercriminals https://t.co/dkx9Y3NApF
Coming to CyberHub Summit? Find out how RiskIQ's internet-wide visibility and unmatched data are helping the c-suite cope with a rapidly changing cybersecurity landscape https://t.co/IMaU5tLJfc
Today! Visit us at booth #1486 at #GSX2019 to find out how RiskIQ #ExecutiveGuardian is giving today's top executives a continuous 360-degree view of their attack surface.
