July 31, 2019
The BA breach, surfaced by RiskIQ last fall, was carried out by the crime syndicate Magecart. Most recently, a sophisticated Magecart group compromised thousands of sites with a supply chain cyber attack targeting misconfigured Amazon S3 buckets.
July 26, 2019
Machine learning is becoming more critical to cybersecurity every day. As I've written before, it's a powerful weapon against the large-scale automation favored by today's cyber threat actors, but the dynamic between cyber attackers and defenders is evolving.
Nowadays, machine learning is mostly used by cyber security software to ingest massive quantities of data and identify cyber threats, but that will all soon change as increasingly sophisticated cybercriminals tap into their own machine learning tools to counter this. The early stages of this malicious machine learning will likely take the form of bad guys directly targeting the good guys' algorithms directly to sabotage, mislead, and reverse-engineer them.
We're on the precipice of the age of adversarial machine learning, where dueling algorithms will determine an organization’s cyber security, as well as the safety of its employees and customers. Here's what that time will look like.
Machine learning models will be in the crosshairs
An organization's cyber threat detection ability is often only as good as its machine learning models, which would make these models a logical target for cyber attackers. In terms of adversarial machine learning, this could mean cybersecurity vendors get hacked themselves by cyber threat actors looking to gain access to the algorithms and data that trains their models. With this information, the bad guys can build their campaigns to evade detection, or they can build identical models they can test their cyber attacks against.
July 24, 2019
RiskIQ's 2019 Evil Internet Minute begins...now.
As the scale of the internet continues to increase, so does the cyber threat landscape. Today, dozens of attack surfaces are growing under increased pressure, as cyberattacks take place in the amount of time it takes to brush your teeth or respond to an email.
To illustrate just how prevalent and persistent modern external threats are, we compiled the numbers associated with cybercrime in the past year and calculated how many cyber attacks occur every 60 seconds. Our 2019 "Evil Internet Minute" defines the scale of cyber attacks happening across the internet using the latest third-party research and our own global threat data.
Cyber attacks are constant, but the news of massive regulatory fines against Equifax and British Airways shows that it just takes one to hurt a business. Equifax is slated to pay at least $575M as part of a settlement with the FTC, and the UK's Information Commissioner's Office proposes a fine of £183m against British Airways which is 1.5% of its 2017 total revenues.
The Evil Internet Minute shows that some of the most common cyberattacks include malvertising, phishing, and supply chain attacks that target e-commerce such as the Magecart breaches that have surged by 20% in the last year. The perpetrators are using an ever-expanding range of technologies and strategies, and their motives vary from monetary gain to large-scale reputational damage to state-sponsored espionage.
July 11, 2019
On May 14th, RiskIQ covered the latest mass compromise of third-party web suppliers by a Magecart group. This initial report focused on seven of these suppliers, the scripts of which were injected with skimmer code, which possibly affected several thousand websites using their services.
However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.
RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019. We’ve been working with Amazon and affected parties to address Magecart injections and misconfigured S3 buckets as we observe them.
We wrote the following article to raise awareness around the security policies for Amazon S3 as well as web-skimming attacks in general.
Discovery of Misconfigured Bucket
Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools
June 26, 2019
Sophisticated, well-funded, and highly targeted cyber threat campaigns, many backed by adversarial foreign national governments, are targeting U.S businesses like never before. RiskIQ researchers have just uncovered another such campaign, and it's a big one.
Widespread and well-orchestrated, this latest campaign uses commercially available marketing tools to launch phishing attacks against potentially hundreds of organizations, many of which deal with gift cards. This cyber threat group's activities initially surfaced when investigative journalist Brian Krebs reported on the breach of IT supplier Wipro on his website Krebs on Security, explaining how Wipro's IT systems were compromised and used to attack the company's customers. However, RiskIQ data pointed to this cyber attack being far from an isolated incident.
In our latest Intelligence report named "Gift Cardsharks," RiskIQ shows how the campaign is, in reality, a far-ranging assault that exceeds the compromised infrastructure of Wipro and involves a long list of targets dating back to 2016. Although attribution cannot be confirmed, the group's numerous concurrent cyber attacks display hallmarks of some state-sponsored activity including specific infrastructure, impressive organization, and, likely, a financial motive.
Using our vast collection grid and unique external view of cyber threat actor operations, RiskIQ can piece together a more complete picture of this actor group and their cyber attack campaigns, tools, and possible motives. This report is by no means a comprehensive analysis but builds a detailed narrative of widely-reported events.
Infrastructure overlap in PDNS, WHOIS, and SSL certificate data sets allowed RiskIQ to build out a more comprehensive understanding of actor-owned infrastructure, possible targets, and a timeline of the cyber attack campaigns. This report is an analysis of these campaigns, their operators, and their targets.
June 21, 2019
A business’s executives, leadership, and board of directors are sources of sensitive, privileged, and confidential information, and that makes them primary cyber attack vectors for hackers. That's why a robust executive protection program that protects these individuals both online and off is paramount.
According to FBI statistics, CEO fraud is now a $12 billion scam. And when private information about these high-profile, high-net-worth individuals is exposed online, it carries a high degree of risk for both that individual and his or her business—not to mention threats against the physical security of the executives and their families. The threat is so significant that Facebook’s board of directors recently granted Mark Zuckerberg a $10 million yearly allowance to pay for the personnel, equipment, and services needed to keep him and his family safe.
But it’s not just the high-profile executives of the world who need sophisticated protection. In today’s digital world, even those who practice stealth wealth are targets of hackers who practice the utmost due diligence in identifying targets and form cyber attacks exploiting their most private details. So even if you don’t flaunt your wealth to the public, anything that exists in the digital world is fair play.
Today C-level executives are twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past. Taking the safety of their business, associates, and family seriously means taking their own safety seriously. It’s now crucial for executives to work together with their physical and cyber security teams alike to understand risks in the physical and digital landscapes and develop a plan that protects against it all.
Here are five things to know about improving an executive’s security posture.
June 20, 2019
These days, mobile security is top of mind for consumers and businesses alike, and for good reason—the mobile channel is ubiquitous and provides cyber threat actors a vast attack surface to target.
At home, 82 percent of online users in the United States used a mobile device for online shopping, with 35 percent being mobile-only online shoppers. In 2020, U.S. mobile retail revenues are expected to amount to 339.03 billion U.S. dollars, up from 207.15 billion U.S. dollars in 2018.
At work, employees use their phones on the company network and access sensitive corporate data every day. Even the way users interact with mobile devices is risky, as the smaller screens and simpler UIs make it easier for users to make more impulsive, uninformed decisions which increase their susceptibility to social engineering and fraud.
To highlight the mobile cyber threat landscape in the first quarter of 2019, RiskIQ published our Mobile Threat Landscape Q1 2019 report, which highlights our coverage of over 120 mobile app stores around the world, and our scans of nearly two billion resources looking for mobile apps in the wild. For the second-straight quarter, RiskIQ added over two million new apps to our database, partially due to RiskIQ's ever-expanding list of monitored mobile app stores, but also because of the continued explosive growth of the mobile app market.
June 10, 2019
Projects within RiskIQ PassiveTotal make it easy for analysts to gather and share digital threat intelligence about current and ongoing digital threat investigations and known digital threat infrastructure. PassiveTotal Projects help you organize related digital threat infrastructure elements such as:
- website trackers, and
Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel
May 15, 2019
Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.
Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we'll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.
A Widespread Campaign
As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.
Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including: