Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Much like a roofing company chasing a hail storm, when there’s a heavily publicized event, a cyber attacker will take advantage of it to seek out new victims. Therefore, cybersecurity professionals should also follow headlines when they hunt for opportunistic threat activity.
Because of the current political news, I searched for a presidential candidate’s name (perhaps you’ve heard of her?) within our data and stumbled across a Neutrino Exploit Kit landing page. Combining the click-enticing appeal of hot-button political headlines with the perimeter-piercing capability of domain shadowing, this example had all the makings of a successful payload delivery.
This particular crawl was flagged by RiskIQ’s system at multiple stages, including the ad server—which was potentially hacked, the malicious redirector, and the Neutrino EK landing page. You can view the details for each stage via the following links:
Possibly Hacked Ad Server>
Neutrino EK Landing Page>
The following sequence overview gives a good idea of the events that lead to the landing page:
Fig-1 Sequence as seen inside RiskIQ
Here’s the Neutrino code snippet:
Fig-2 Neutrino code snippet from RiskIQ captured from web crawl
Originally, it was thought that this domain was resolving briefly to a Russian IP address, but after looking inside PassiveTotal, RiskIQ’s proprietary threat research tool, it looks like the actor just switched IP addresses and is continuing to operate on the new infrastructure:
Fig-3 Inside PassiveTotal, it’s evident the threat actor switched IPs
Taking a step back, let’s look at the child pairs for the second-level domain using PassiveTotal’s Maltego transforms. It shows several alleged domains shadowing victims while the diagram illustrates that an iframe is pushing traffic to these domains—similar to the sequence above.
Fig-4 A look inside Maltego
For a list of web components, which commonly reveal additional A records, visit PassiveTotal today (free accounts are welcome):
Fig-5 PassiveTotal web components
So there you have it—this campaign is still fresh, and we’re still tracking it at RiskIQ.
To continuously monitor this threat actor’s movements, go ahead and pivot around in PassiveTotal. PassiveTotal harnesses the power of big data analytics to surface the footprint of an attacker, making threat investigations and incident response quicker than ever before—we’ve even added new datasets and features to the platform to enhance threat analysis and data visualization.
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Enrich @Splunk security with attacker-facing asset discovery. Build reports, dashboards, identify vulnerabilities, and enable proactive attack surface management. Learn more and get the app! https://bit.ly/38wV3rm
Security in Google Play is improving, but bad actors can still place mobile apps there. In 2019, RiskIQ detected 25,647 blacklisted apps in the Google Play Store.
'Joker' Android Malware Pulls Another Trick to Land on Google's Play Store http://ow.ly/xniR50AuqJ6 by @jaivijayan #Android #malware #GooglePlay #mobile
Digital change expands what lives outside the firewall. We checked and counted up what we saw. Get the report and take command of your digital attack surface. https://bit.ly/3cOzJ0T
Ready to achieve #ThreatHunting mastery? Check out our most recent threat hunting workshop - we'll show you how to discover unknowns and investigate threats across your organization's attack surface https://bit.ly/2BUDF3V
As the pandemic rages on, we have an election coming up and that brings another round of targeted and themed attacks. RiskIQ Security Intelligence Services Add-on for Splunk helps you extend your program, protecting your organization and constituents. #protect2020 https://twitter.com/RiskIQ/status/1281241793040916483
RiskIQ Security Intelligence Services for @Splunk puts our unmatched internet telemetry at the fingertips of Splunk users, a powerful shield from the onslaught of cybercrime leveraging current events such as #COVID19 and the election. Read more: https://bit.ly/2Oa8ZhH