A recent RiskIQ web crawl of pcipolicyportal.com, a site that sells pre-built payment card industry (PCI) policy templates for merchants looking to ensure that they're PCI compliant, discovered a little bit of irony. It found that the site is leading visitors to malware.
Because our web crawl technology works as an emulated human user with a fully instrumented browser, it can take note of page details like links, images, and dependent content. With this data, we can reconstruct an event and what led to it—just like a detective might do at a crime scene.
This particular web crawl tells us the website is driving traffic to "Indyiframe" malicious redirector. Based on the components of the page captured by the web crawlers, the website was most likely compromised due to running an out of date WordPress installation.
Comprised of a combination of standard servers and mobile cell providers that act as egress points deployed all over the world, our proxy network of virtual users provides the perfect cover for our web crawling infrastructure. As you can see, our residential proxies—located in Japan in this case—picked this up, which may indicate that the cyber threat actors are using some kind of filtering to prevent non-residential IP addresses from receiving the injected code.
Pretending to be a victim browsing from a residence gives the web crawling infrastructure a higher likelihood of going undetected, observing and logging a full exploitation chain as we did here. This just goes to show that keeping third-party web components up to date is crucial, and that any site—even ones preaching the importance of compliance—can fall victim.
Remember, RiskIQ customers are notified of vulnerabilities like outdated versions of WordPress and alerted to the presence of malicious redirectors like this, which would appear as "Indyiframe" in their RiskIQ instance.
Questions? Feedback? Email email@example.com to contact our research team.