Gift Cardsharks:

Businesses are targets for large, organized, and well-funded cyber threat campaigns that use massive amounts of infrastructure both beyond the firewall and on the internal network.

RiskIQ researchers have uncovered one of these campaigns, a sophisticated, far-ranging operation that uses commercially available and open-source marketing tools to launch phishing attacks against an array of organizations, many of which deal with gift cards.

This cyber threat group’s activities initially surfaced when investigative journalist Brian Krebs reported on the breach of IT supplier Wipro, but RiskIQ data shows this attack is far from an isolated incident and involves a long list of targets dating back to 2016.

Although attribution cannot be confirmed, the group’s numerous concurrent attacks display hallmarks of some state-sponsored activity such as precision, organization, and, likely, a financial motive. In this cyber threat intelligence report, Infrastructure overlap in PDNS, WHOIS, and SSL certificate data sets allowed RiskIQ researchers to profile this group and surface and connect its infrastructure.

Report highlights include:

• The widely used email marketing and analytics tools the group used to create effective email phishing campaigns and appear legitimate to targets’ network security
• The group’s primary targets
• Possible monetization techniques
• How the infrastructure used is associated with North Korean cyber threat activity
• How subsequent attacks on IT infrastructure organizations like Wipro represent broader targeting by the cyber threat group