External Threat Management Magecart

RiskIQ Launches JavaScript Threats Solution Amidst Surge in Browser-based Cyber Attacks

Browser-based cyber attacks append malicious JavaScript to websites once every five minutes, according to RiskIQ detection data. These cyber attacks, such as web-skimming, cryptocurrency mining, fingerprinting, and waterholing encounters, are responsible for some of the most high-profile breaches in recent history. These digital security breaches include the hack of British Airways, which led to cyber threat actors intercepting credit card data for thousands of customers.

The BA breach, surfaced by RiskIQ last fall, was carried out by the crime syndicate Magecart. Most recently, a sophisticated Magecart group compromised thousands of sites with a supply chain cyber attack targeting misconfigured Amazon S3 buckets.

In the months and years to come, new breeds of these web skimming cyber attacks will likely emerge, whether by new or existing Magecart groups. Payment data is currently the focus, but they will pivot to skim other information such as login credentials. These cyber attacks can take the form of direct compromises to digital security or supply chain compromises in which third-party JavaScript, such as analytics code, is compromised. Supply chain cyber attacks give perpetrators massive reach by granting them access to potentially thousands of sites at once.

Lucrative for perpetrators, cybercrime syndicates have created entire economies around JavaScript attacks with vibrant markets emerging for stolen data, web skimmers, and compromised websites. Meanwhile, businesses are left to weather the reputational and financial damage with loss of market share, lawsuits, and punitive regulatory fines.

The material damages to businesses from JavaScript attacks took sharp focus earlier this month when the first post-GDPR fine was imposed against British Airways for the breach of its digital security. The proposed amount of £183m represents 1.5% of BA's 2017 revenues and dwarfs the largest pre-GDPR fine levied by the UK's Information Commissioner's Office (ICO) of £500,000.

Continue Reading
External Threat Management

The Future of Machine Learning is Adversarial

Machine learning is becoming more critical to cybersecurity every day. As I've written before, it's a powerful weapon against the large-scale automation favored by today's cyber threat actors, but the dynamic between cyber attackers and defenders is evolving. 

Nowadays, machine learning is mostly used by cyber security software to ingest massive quantities of data and identify cyber threats, but that will all soon change as increasingly sophisticated cybercriminals tap into their own machine learning tools to counter this. The early stages of this malicious machine learning will likely take the form of bad guys directly targeting the good guys' algorithms directly to sabotage, mislead, and reverse-engineer them.

We're on the precipice of the age of adversarial machine learning, where dueling algorithms will determine an organization’s cyber security, as well as the safety of its employees and customers. Here's what that time will look like.

Machine learning models will be in the crosshairs

An organization's cyber threat detection ability is often only as good as its machine learning models, which would make these models a logical target for cyber attackers. In terms of adversarial machine learning, this could mean cybersecurity vendors get hacked themselves by cyber threat actors looking to gain access to the algorithms and data that trains their models. With this information, the bad guys can build their campaigns to evade detection, or they can build identical models they can test their cyber attacks against. 

Continue Reading
External Threat Management

RiskIQ’s 2019 Evil Internet Minute: All the Cyber Threats Jammed Into 60 Seconds

RiskIQ's 2019 Evil Internet Minute

As the scale of the internet continues to increase, so does the cyber threat landscape. Today, dozens of attack surfaces are growing under increased pressure, as cyberattacks take place in the amount of time it takes to brush your teeth or respond to an email.

To illustrate just how prevalent and persistent modern external threats are, we compiled the numbers associated with cybercrime in the past year and calculated how many cyber attacks occur every 60 seconds. Our 2019 "Evil Internet Minute" defines the scale of cyber attacks happening across the internet using the latest third-party research and our own global threat data.

Cyber attacks are constant, but the news of massive regulatory fines against Equifax and British Airways shows that it just takes one to hurt a business. Equifax is slated to pay at least $575M as part of a settlement with the FTC, and the UK's Information Commissioner's Office proposes a fine of £183m against British Airways which is 1.5% of its 2017 total revenues.

The Evil Internet Minute shows that some of the most common cyberattacks include malvertising, phishing, and supply chain attacks that target e-commerce such as the Magecart breaches that have surged by 20% in the last year. The perpetrators are using an ever-expanding range of technologies and strategies, and their motives vary from monetary gain to large-scale reputational damage to state-sponsored espionage.

Continue Reading
Labs Magecart

Spray and Pray: Magecart Campaign Breaches Websites En Masse Via Misconfigured Amazon S3 Buckets

On May 14th, RiskIQ covered the latest mass compromise of third-party web suppliers by a Magecart group. This initial report focused on seven of these suppliers, the scripts of which were injected with skimmer code, which possibly affected several thousand websites using their services. 

However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.

RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019. We’ve been working with Amazon and affected parties to address Magecart injections and misconfigured S3 buckets as we observe them.

We wrote the following article to raise awareness around the security policies for Amazon S3 as well as web-skimming attacks in general.

Discovery of Misconfigured Bucket

Continue Reading
External Threat Management

Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools

Sophisticated, well-funded, and highly targeted cyber threat campaigns, many backed by adversarial foreign national governments, are targeting U.S businesses like never before. RiskIQ researchers have just uncovered another such campaign, and it's a big one. 

Widespread and well-orchestrated, this latest campaign uses commercially available marketing tools to launch phishing attacks against potentially hundreds of organizations, many of which deal with gift cards. This cyber threat group's activities initially surfaced when investigative journalist Brian Krebs reported on the breach of IT supplier Wipro on his website Krebs on Security, explaining how Wipro's IT systems were compromised and used to attack the company's customers. However, RiskIQ data pointed to this cyber attack being far from an isolated incident. 

In our latest Intelligence report named "Gift Cardsharks," RiskIQ shows how the campaign is, in reality, a far-ranging assault that exceeds the compromised infrastructure of Wipro and involves a long list of targets dating back to 2016. Although attribution cannot be confirmed, the group's numerous concurrent cyber attacks display hallmarks of some state-sponsored activity including specific infrastructure, impressive organization, and, likely, a financial motive.

Using our vast collection grid and unique external view of cyber threat actor operations, RiskIQ can piece together a more complete picture of this actor group and their cyber attack campaigns, tools, and possible motives. This report is by no means a comprehensive analysis but builds a detailed narrative of widely-reported events.

Infrastructure overlap in PDNS, WHOIS, and SSL certificate data sets allowed RiskIQ to build out a more comprehensive understanding of actor-owned infrastructure, possible targets, and a timeline of the cyber attack campaigns. This report is an analysis of these campaigns, their operators,  and their targets. 

Continue Reading
External Threat Management

Five Things to ‘Know’ About Modern Executive Protection

A business’s executives, leadership, and board of directors are sources of sensitive, privileged, and confidential information, and that makes them primary cyber attack vectors for hackers. That's why a robust executive protection program that protects these individuals both online and off is paramount.

According to FBI statistics, CEO fraud is now a $12 billion scam. And when private information about these high-profile, high-net-worth individuals is exposed online, it carries a high degree of risk for both that individual and his or her business—not to mention threats against the physical security of the executives and their families. The threat is so significant that Facebook’s board of directors recently granted Mark Zuckerberg a $10 million yearly allowance to pay for the personnel, equipment, and services needed to keep him and his family safe.

But it’s not just the high-profile executives of the world who need sophisticated protection. In today’s digital world, even those who practice stealth wealth are targets of hackers who practice the utmost due diligence in identifying targets and form cyber attacks exploiting their most private details. So even if you don’t flaunt your wealth to the public, anything that exists in the digital world is fair play.

Today C-level executives are twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past. Taking the safety of their business, associates, and family seriously means taking their own safety seriously. It’s now crucial for executives to work together with their physical and cyber security teams alike to understand risks in the physical and digital landscapes and develop a plan that protects against it all.

Here are five things to know about improving an executive’s security posture.

Continue Reading
External Threat Management

The Last 18 Months of Mobile: Blacklisted Apps Rise, Antivirus Apps Prove More Harm Than Good

These days, mobile security is top of mind for consumers and businesses alike, and for good reason—the mobile channel is ubiquitous and provides cyber threat actors a vast attack surface to target.

At home, 82 percent of online users in the United States used a mobile device for online shopping, with 35 percent being mobile-only online shoppers. In 2020, U.S. mobile retail revenues are expected to amount to 339.03 billion U.S. dollars, up from 207.15 billion U.S. dollars in 2018.

At work, employees use their phones on the company network and access sensitive corporate data every day. Even the way users interact with mobile devices is risky, as the smaller screens and simpler UIs make it easier for users to make more impulsive, uninformed decisions which increase their susceptibility to social engineering and fraud.

To highlight the mobile cyber threat landscape in the first quarter of 2019, RiskIQ published our Mobile Threat Landscape Q1 2019 report, which highlights our coverage of over 120 mobile app stores around the world, and our scans of nearly two billion resources looking for mobile apps in the wild. For the second-straight quarter, RiskIQ added over two million new apps to our database, partially due to RiskIQ's ever-expanding list of monitored mobile app stores, but also because of the continued explosive growth of the mobile app market.

To highlight the mobile cyber threat landscape in the first quarter of 2019, RiskIQ published our Mobile Threat Landscape Q1 2019 report.

Continue Reading

Elevate Your Investigations With Collaboration & Organization: PassiveTotal Projects

Projects within RiskIQ PassiveTotal make it easy for analysts to gather and share digital threat intelligence about current and ongoing digital threat investigations and known digital threat infrastructure. PassiveTotal Projects help you organize related digital threat infrastructure elements such as:

  •      Domains
  •      IPs
  •      website trackers, and
Continue Reading
Labs Magecart

Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel

Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.

Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we'll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.

A Widespread Campaign

As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.

Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including:

Continue Reading