Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Much like a roofing company chasing a hail storm, when there’s a heavily publicized event, a cyber attacker will take advantage of it to seek out new victims. Therefore, cybersecurity professionals should also follow headlines when they hunt for opportunistic threat activity.
Because of the current political news, I searched for a presidential candidate’s name (perhaps you’ve heard of her?) within our data and stumbled across a Neutrino Exploit Kit landing page. Combining the click-enticing appeal of hot-button political headlines with the perimeter-piercing capability of domain shadowing, this example had all the makings of a successful payload delivery.
This particular crawl was flagged by RiskIQ’s system at multiple stages, including the ad server—which was potentially hacked, the malicious redirector, and the Neutrino EK landing page. You can view the details for each stage via the following links:
Possibly Hacked Ad Server>
Neutrino EK Landing Page>
The following sequence overview gives a good idea of the events that lead to the landing page:
Fig-1 Sequence as seen inside RiskIQ
Here’s the Neutrino code snippet:
Fig-2 Neutrino code snippet from RiskIQ captured from web crawl
Originally, it was thought that this domain was resolving briefly to a Russian IP address, but after looking inside PassiveTotal, RiskIQ’s proprietary threat research tool, it looks like the actor just switched IP addresses and is continuing to operate on the new infrastructure:
Fig-3 Inside PassiveTotal, it’s evident the threat actor switched IPs
Taking a step back, let’s look at the child pairs for the second-level domain using PassiveTotal’s Maltego transforms. It shows several alleged domains shadowing victims while the diagram illustrates that an iframe is pushing traffic to these domains—similar to the sequence above.
Fig-4 A look inside Maltego
For a list of web components, which commonly reveal additional A records, visit PassiveTotal today (free accounts are welcome):
Fig-5 PassiveTotal web components
So there you have it—this campaign is still fresh, and we’re still tracking it at RiskIQ.
To continuously monitor this threat actor’s movements, go ahead and pivot around in PassiveTotal. PassiveTotal harnesses the power of big data analytics to surface the footprint of an attacker, making threat investigations and incident response quicker than ever before—we’ve even added new datasets and features to the platform to enhance threat analysis and data visualization.
Questions? Feedback? Email email@example.com to contact our research team.
Webcast: Learn how #webskimming attacks work and what organizations can do to protect themselves with @RiskIQ | 4/18 @ 3:30PM ET | https://t.co/1Qe36D9NW1
Today is the deadline to file your taxes, but threat actors didn’t procrastinate. Download @RiskIQ’s 2019 #TaxSeason Threat Roundup for data and analysis around the threat landscape facing taxpayers this year https://t.co/ALAepevk15 #phishing #mobilethreats
Tax Hacks: How Seasonal Scams Cause Yearlong Problems https://t.co/QuqeibM9Xl by @kellymsheridan #taxday #taxtips #fraud #cybercrime
This #phishing page is a copy of an online IRS form for updating electronic #tax information.
A new report found 1,235 instances of similar phishing sites targeting online tax filers, and 468 suspicious URLs.
Via @forbes: Before, cyber security was practiced within the confines of the firewall, but should now traverse the entire internet https://t.co/Bg1vwGhwpp #AttackSurfaceManagement #Infosec