Blog

External Threat Management

Infosec 2020: RiskIQ Looks Ahead to a New Decade of Cybersecurity

2020 will see organizations continue to shift digital interactions closer to customers and launch innovative methods for marketing, advertising, and selling their products online. While this will continue to bring great rewards for businesses, it will also increase risk over the coming year. 

Cybercriminals always move to where the money is, whether it's mass cloud migrations, booming e-commerce, or a hot cryptocurrency market. The cybersecurity industry must respond to this development by working closely with businesses to develop new ways to keep the data of both organizations and consumers secure.

As the cybersecurity industry heads into a new year and a new decade, many of the threats we'll see will be an acceleration of the developments of previous years. Welcome to Infosec 2020, RiskIQ's predictions for the year ahead and beyond.

CISOs who can't attribute threats won't survive. 

Security is now a business input, and CEOs want to know how their organization's security posture affects the business as a whole. With breaches and other security incidents causing multi-million dollar losses, the c-suite is asking their security teams for context around incidents. CISOs must invest in the talent and technology to answer questions like, How did we get targeted? Why are we an attractive target, and by whom? What other organizations did these attackers hit, and what about our business made us a target? What can we do to respond?  

Continue Reading
Labs

Full(z) House: A Digital Crime Group Using a Full Deck to Maximize Profits

RiskIQ continuously investigates incidents of digital crime as we observe them on the web. Monitoring changes to crime groups and the evolution of their tactics is essential to continue to detect them effectively and stay ahead of the bad guys. With Magecart, we followed the crime syndicate's first group and carefully analyzed its skimming code. As new Magecart groups materialized with unique code and tactics, we built on our Magecart base knowledge to get better and better at detecting Magecart and other forms of web skimming.

In this article, we will discuss our insights into a criminal group that maximizes their profit by working in two ecosystems that are typically distinct: phishing and web skimming. By leveraging a tactic with which they had tons of experience, phishing, they could double-dip into one with which they had less expertise, web skimming.

By combining tactics, this group was playing with a full deck when it came to stealing financial data—introducing Full(z) House.

Here, Malwarebytes published an article highlighting a small piece of this group's activity in card skimming.

Introduction

Continue Reading
External Threat Management

RiskIQ’s 2019 Black Friday E-commerce Blacklist Report: Crucial Intel for Thanksgiving Weekend

This Thanksgiving weekend, you can be sure that cybercriminals will be getting their fill, too. 

In 2018, Black Friday pulled in a record $6.2 billion in online sales, a growth of 23.6% from 2017. Then, Cyber Monday became the most popular day for e-commerce sales ever, amassing $7.8 billion. With online spending this Black Friday and Cyber Monday projected to set yet another record in 2019, cyberattackers are showing that they're out to get a piece of the online shopping pie.

Already, these bad holiday actors are impersonating the brands of leading e-tailers, as well as the poor security habits of consumers, to fool shoppers looking for Black Friday deals, sales, and coupons. They're creating fake mobile apps and landing pages to trick users into downloading malware, using compromised sites, or giving up their login credentials and credit card information.

Meanwhile, Magecart, a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms, will thrive over Black Friday and Cyber Monday. Magecart is responsible for placing skimmers on scores of e-commerce sites, and RiskIQ is alerted to new Magecart breaches hourly. With this influx of e-commerce activity, Magecart actors will be working overtime.

To compile crucial intelligence for both consumers and brands around this season's Thanksgiving shopping weekend, RiskIQ developed our 2019 Black Friday E-commerce Blacklist report. The report analyzes the results of keyword queries of our Global blacklist and mobile app database, RiskIQ's extensive repositories of cyber threat data compiled over ten years of crawling and passive sensing the web. Specifically, we looked at the ten most trafficked* e-commerce brands over Thanksgiving weekend. 

Continue Reading
External Threat Management

Five Momentous Examples of Executive Threats and How to Prevent Them

Many executives focus their security efforts and budgets solely on physical cyber threats, but attacks targeting an executive's digital presence can be just as dangerous. 

Criminals are looking to exploit the wealth of high-profile and high net-worth individuals—or cause them embarrassment or personal harm—at an unprecedented rate. And, as the most abundant source of company secrets and IP, they're a primary attack vector of their businesses too. 

Attacks on VIPs involve attempts at accessing their sensitive information and span both the real world and the web. Because of their digital and physical vulnerabilities, protecting them requires a 360-degree view of their attack surface, i.e., anything related to their physical or digital presence that can be used against them. But to defend an executive's attack surface, you first have to define it. 

Today, developing a plan to protect an executive, and in turn, their families and businesses, means understanding what information should be considered sensitive and having the tools to monitor the internet for it. References to names and addresses of the individual and their family and associates on forums, malicious rhetoric toward them, and the presence of leaked sensitive data are all crucial intelligence. This internet-wide visibility provides security teams with invaluable information and context not only about potential cyberattacks, but also attacks that may occur in the real world. 

The top historic executive threats demonstrate how seemingly insignificant information has enabled completely preventable incidents. These top-five examples of threats to executives illustrate the overlap between the physical and the digital threat landscapes.

Continue Reading
External Threat Management

The Q2 2019 Mobile Threat Landscape: Blacklisted Apps Increase 20%, Cyber Attackers Target Tax Season, Surveillance Apps Wreak Havoc

The digital revolution is causing businesses to invest significantly in mobile, where they can make more frequent and more meaningful interactions with employees, prospects, and customers. Global app spending hit $101 billion in 2018 and will surpass that this year. In 2018, global app spending hit $101 billion and is expected to surpass that this year. Mobile is a significant portion of the overall corporate attack surface where security teams often suffer from a lack of visibility. 

For the past ten years, RiskIQ's discovery platform has mapped the global mobile threat landscape. It now monitors more than 120 mobile app stores around the world and scans nearly two billion resources daily to look for mobile apps in the wild. With this internet-wide telemetry, RiskIQ observes and categorizes the threat landscape as a user would see it, downloading analyzing, and storing every app we encounter while recording changes and new versions.

In our Q2 2019 Mobile Threat Landscape report, we provide an overview of the Q2 2019 Mobile Threat Landscape and dive into emerging trends you need to know for the rest of the year. 

For the second-consecutive quarter, blacklisted apps increased with a 20% spike, increased from 44,850 to 53,955, and accounting for over 2% of all apps in RiskIQ's dataset. Blacklisted apps are apps that appear on at least one blacklist such as VirusTotal, which, per its website, inspects files or web pages with over 70 antivirus products and other tools. A blacklist hit from VirusTotal shows that at least one vendor has flagged the file as suspicious or malicious. 

The percentage of blacklisted apps relative to the total number of apps known by RiskIQ also increased for the second-straight quarter, jumping from 1.95% to 2.1 %. These blacklisted apps feature a host of familiar threats such as brand imitation, phishing, and malware. The mobile threat landscape also saw cyber attackers leveraging tax season with malicious and fraudulent apps meant to fool consumers filing their taxes into downloading them. 

Continue Reading
External Threat Management

RiskIQ Named Strong Performer in The Forrester Wave™: Vulnerability Risk Management, Q4 2019

For the past decade, RiskIQ has been helping organizations discover and manage risk across their digital attack surface. Since our inception, we've continued to enhance our capabilities and data sets to uncover more of the internet and better understand how attackers interact with it. Now, RiskIQ is proud to have been named a strong performer in The Forrester Wave™: Vulnerability Risk Management, Q4 2019, which recognized our platform as "a strong tool to have in your vulnerability management toolbox."

With breaches of businesses via internet-connected digital assets making headlines every day, the need for organizations to manage their full attack surface, from inside the network to all that lies beyond the firewall, is gaining serious momentum. Today's internet-scale threats can overwhelm the defenses of businesses that lack visibility into their vulnerable digital assets, which makes vulnerability risk management (VRM) a crucial element of attack surface management.

According to the Forrester Wave report, VRM is a four-stage process involving asset management, vulnerability enumeration, prioritization, and remediation. One of the new capabilities evaluated in the Forrester Wave™: Vulnerability Risk Management, Q4 2019, was how well these products help organizations with digital footprinting to understand what internet-exposed assets they may not be aware of. Traditional security scanners, which can only identify and scan a portion of an organization's external attack surface, have failed to help businesses adequately manage their digital risk because they cannot provide a full inventory of internet-facing assets.

With a sophisticated sensor network working in tandem with virtual users, RiskIQ has been assisting customers in finding digital assets connected to their attack surface for over a decade. By building an inventory of digital assets and issuing alerts as soon as someone in the company stands up something new, vulnerability and pen-testing teams can evaluate a better picture of what their organization looks like to attackers. In RiskIQ’s view, it is because of these capabilities that it was described in the Forrester report as "a strong tool to have in your vulnerability management toolbox."

Because our virtual user network continually interacts with these assets and downloads their page content, our platform can also help determine which page components are vulnerable. These include third-party software components such as frameworks, programming languages, and client-side JavaScript libraries. This unique capability finds assets with security misconfigurations and applications showing indications of compromise, identifying exactly where they reside.

Continue Reading
Labs

LNKR: More than Just a Browser Extension

LNKR is malware that uses browser extensions for Chrome to track browsing activities of users and overlay ads on legitimate sites. Using extensions to add code that executes in a user's browser is a common and lucrative monetization technique on the internet, where spyware, adware, and other browser-based nuisances have thrived since the early days. 

LNKR spreads via illegitimate browser extensions, which add malicious Javascript to web pages a user visits. This code allows LNKR to record browser sessions to identify frequently visited sites, and overlay ads from which threat actors can monetize. However, LNKR is a bit more robust than your average malicious browser extension—it also looks for pages to which a user has write-access and can edit. With this access, the cyber threat can inject JavaScript code directly on the site to spread beyond the limited scope of a browser extension. While we have not observed LNKR uploading any external JavaScript other than its own, the ability to inject JavaScript allows threat actors to upload any kind they want, including Magecart or other malware. 

Seeing the Cyber Threat

RiskIQ crawlers don't install extensions, but the data we collect from our global discovery platform gives us unique insight into the LNKR threat. We can use known LNKR command and control (C2) domains and our Host Pairs data set, to determine if there was any inventoried infrastructure making calls to these C2 domains

Host pairs are unique relationships between pages that are observed by RiskIQ when we crawl a web page. Each pair has a direction of child or parent and a cause that outlines the relationship connection. These values provide insight into redirection sequences, dependent requests, or specific actions within a web page when it loads. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page.

Continue Reading
External Threat Management Magecart

Magecart: New Research Shows the State of a Growing Threat

Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. It's also fundamentally changing the way we view browser security. 

A global phenomenon, Magecart is threatening the ability of consumers worldwide to shop online safely by stealthily intercepting their credit card data via their browser without the consumer or website owner's knowledge. Although it's just now getting global attention, Magecart has been active for nearly ten years—RiskIQ's earliest Magecart observation occurred on August 8th, 2010. 

Magecart works by operatives gaining access to websites either directly or via third-party services in supply-chain attacks and injecting malicious JavaScript that steals the data shoppers enter into online payment forms, typically on checkout pages. Quietly, it's eating away at the e-commerce industry because website owners lack visibility into the code that's running on their site, which is a bigger problem than most people realize. Skimming code can exist on a breached website for weeks, months, or even indefinitely, victimizing any visitor that makes purchases on that site.

RiskIQ's global discovery platform gathers internet-wide telemetry that enables us to view websites as Magecart actors do; a unique perspective that provides unmatched visibility into this surging threat. In our latest report, we share the valuable insights gleaned from this telemetry data, which yields critical insight into the state of Magecart, whose skimmers have appeared over two million times, and directly breached over 18,000 hosts. 

Continue Reading
External Threat Management

RiskIQ Named CIO Favorite at Innovation CONNECT CIO Technology Day

For as rapidly as business changes, the threat landscape changes even faster. CIOs and other business leaders are realizing that they must rethink cybersecurity to catch up.

With cyber security risk outside the firewall now a top-of-mind priority for CIOs, RiskIQ's ability to bring the massive scope of an organization's attack surface into focus helped secure the CIO Favorite award at Innovation CONNECT CIO Technology Day. The award is given to the company in which CIO attendees would most want to invest if they had significant capital to fund a startup.

Addressing the gap in security inside the firewall and outside the firewall was of particular interest at the forum, which features 30 companies selected from over 200 startups. These entrepreneurs present to an audience of CIOs, who chose which presentations to watch based on their interests. With a presentation about managing the exposures created by digital initiatives such as cloud migrations, RiskIQ CEO Lou Manousos had one of the biggest audiences of the day.

In his pitch, Lou explained RiskIQ's unique value in helping businesses understand their attack surface as they grow their digital presence. He demonstrated that RiskIQ's global discovery platform, which contains data sets built from crawling the internet for over a decade, is a unique value proposition. The audience quickly realized that RiskIQ is an essential tool in addressing cyber security risk in a quickly evolving cyberthreat landscape.

Continue Reading