Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Newly registered domains are an effective tool for threat actors.
Threat actors often create new infrastructure quickly, engaging in their attack campaigns and then ducking and running in a matter of hours or even minutes. From a security perspective, there are very few reasons someone would need to visit a domain that has just come online; likely, they were sent there via a URL from a malicious campaign.
Here at RiskIQ, we analyze quite a bit of the internet on a daily basis, and one of the insights that come with this is that we should treat newly registered domains with quite a bit more suspicion than established ones. With the large quantity of cheap and free domain registrations available out there, threat actors are using newly registered domains to prop up disposable websites to aid in their activities quickly and efficiently.
As an example, here’s an adult website from a recent RiskIQ blacklist incident showcases the trouble with newly registered domains with one of its dependent requests. An iframe on the page has a source of hxxp://procese[.]info/banners/uaps?, which, at the time of the crawl, had only been registered for fourteen days, an indicator that it may be part of malicious infrastructure:
Fig-1 PDNS data inside RiskIQ PassiveTotal showing when this domain began resolving
This specific URL does a couple of different things. The first is it runs a function called “getBrowser” which does exactly what you would expect it to do: grabbing the browser user agent and some other information to attempt to find out if the potential victim is a bot or not.
Fig-2 Part of the getBrowser function
If the victim’s information did not match certain criteria, a variable would be set to true. This variable is later checked, and if set to true, the page would be changed to look like a 404 message from an Apache Debian Server. However, RiskIQ’s crawlers were created to mimic real users and could easily bypass this page’s fingerprinting attempts. Because of this unique capability, the crawler reached the second part of the page. Once it was decided that there was no bot, the “victim” was sent elsewhere:
The next page the crawlers were sent to was a URL on hxxp://ssd.onlinedisabilityinsurancesanantonio[.]com. A look at the raw page XML showed the following:
Fig-4 Part of the raw page XML
This chunk of code is part of the base 64 encoded RIG exploit kit that is waiting for the redirected victims to be redirected to the malicious landing page. RIG is a common exploit kit that uses several layers of obfuscation to attempt to deliver its various payloads, with the end goal of downloading malware onto the victim’s computer.
Find Newly Registered Domains with RiskIQ Data
New or recently created domains may help confirm suspicions about malicious activity, as many domains are registered shortly before staging an attack. This may indicate dedicated attacker domain ownership and can strengthen an observation’s value as an indicator of compromise. On the other hand, domains with older registration dates may indicate the use of compromised hosts, hijacked domains, or purchase of older domains from a reseller service.
WHOIS is a protocol that lets anyone query for ownership information about a domain, IP address, or subnet. RiskIQ has a vast database of WHOIS data, which is available to query for registrant information. WHOIS records provide information that includes the name, email address, street address, and phone number of the individual who registered the domain, but also the date it was registered.
Organizations can also use the RiskIQ Newly Observed Domains data set to systematically block new domains (via a web filter or firewall) for a set amount of time after they’re first observed. This can act as an added layer of protection against quick attack campaigns.
RiskIQ data sets can be used by security professionals and threat analysts to connect the dots between threat infrastructure and understand the attack vectors and patterns used by attackers. Register for RiskIQ Community for free to begin using data sets such as newly observed domains and start surfacing threats against your organization.
We're #ThreatHunting in D.C.! The #infosec community is out in force to learn how to supercharge their investigations with RiskIQ's advanced data sets inside the @PassiveTotal platform.
Via @Forbes, RiskIQ research finds over 18,000 websites infested with #Magecart card-skimming #malware https://t.co/dKSfziG3dr #ecommerce
Just Launched! Adam Hunt of @riskIQ and Fredrik Nilsson of @axisipvideo discuss #cybersecurity, #IoT, and the threat of regulatory fines from #dataprivacy breaches on the latest Inside @ForbesCouncils #podcast! https://t.co/G0UoPfQCHf