Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

“Evil Internet Minute” Report Shows Scale of Malicious Online Activity

Every day, cyber threat intelligence firm RiskIQ hoovers up terabytes of internet data. It concentrates on the internet infrastructure and how it functions, gathering up domains, IP addresses, email addresses and web page materials. It does this on behalf of its customers.

Every day, cyber threat intelligence firm RiskIQ hoovers up terabytes of internet data. It concentrates on the internet infrastructure and how it functions, gathering up domains, IP addresses, email addresses and web page materials. It does this on behalf of its customers. With booming cloud and social media, not only is there no longer a perimeter to defend, companies often don’t even know what they have to defend.

The attack surface is expanding, and attackers target company brands, suppliers and customers across the internet as well as companies’ own data centers. RiskIQ scans the internet to see what, where and how its customers might be vulnerable.

“We collect crawled web pages, mobile apps, social media profiles and more so that we can identify what our clients own online, so they in turn can identify any vulnerabilities or risks — down to, for example, criminal or malicious actors who may be attempting to masquerade as their business in an effort to go after their employees, or customers, and so on,” explained Brandon Dixon, RiskIQ VP of product. 

“We use web crawlers,” he told SecurityWeek, “which we call ‘virtual users’ because they have been instrumented to be able to scroll through a page as if they were a normal internet-browsing user.” This instrumentation became necessary soon in the company’s existence because malevolent actors began to recognize RiskIQ, and began to design their own resources to block or divert the crawlers.

“We run about 2 billion virtual user requests every day,” continued Dixon. “The virtual users follow a natural path across the internet — so, for example, they might conduct a Google search on a keyword of importance to a customer of ours. When it finds a link of relevance, the virtual user clicks on the link, visits and interrogates the page, and visits the links contained on that page. For each page we visit, we grab and save the content, grab all the remote sources from which the page is constructed, and all of the cookies and session information.”

So far, RiskIQ has gathered approximately 6 petabytes of data. That’s 6,000,000 gigabytes. Some of the gathered data is held for 60 days before being aged out — but the metadata is stored forever.

The company also scans the internet and gathers mobile apps. “One of our other methods of collecting data,” said Dixon, “is to do weekly — effectively continuous — internet scans. We run an entire sweep of the IPv4 space, looking for IP addresses that are online, and services they may be running. We’ll scan up to 111 ports, in some cases allowing customers to specify a specific port.” As a result, RiskIQ is able to identify servers online, the services they’re running, and whether they are on or off. 

“We’re also downloading as many mobile app stores as possible,” he added; “including the Android store and whatever we can get our hands on from Apple — and a number of third-party global app stores and underground mobile app stores. Where possible we decompile the apps to see what permissions they use and if they call out to any blacklisted URLs.”

The analysis of this data allows RiskIQ to provide its customers with an overview of threats to their wider internet estate. The analysis is performed in the company’s own pipeline. “Any time we collect data,” explained Dixon, “it enters that pipeline and we apply pretty complex proprietary policies that allow us to admit an event whenever something satisfies the policy. This could be something that our customers define as interesting, or something our research team has defined as interesting — or it could just be a generic feed including, for example, a known bad/malicious event or item.”

This is a huge mass of analyzed internet data. Each year, RiskIQ compiles some of that data to generate an ‘evil internet minute’ report (PDF). “It brings that missing sense of scale to all the malicious things that happen on the internet,” he told SecurityWeek. “People don’t generally have this amount of data available to them. We’re in a unique position. Not only do we observe these things, we can provide a pretty heavy statistic around what is happening online for the majority of people that we serve, and we collect from.”

That sense of scale is sobering. This year’s Evil Internet Minute depicts a range of bad things that happen on the internet every minute of every day. This year’s report, published this month, shows 0.17 blacklisted mobile apps are produced every minute (that is, one in every 6 minutes of every day). 0.21 of a new phishing domain is spun up every minute (that is, one every five minutes). 9.2 malvertising incidents occur every minute. 0.05 new hosts running crypto mining malware appear every minute (that is, one new one every 20 minutes). And four potentially vulnerable web components are discovered.

“When brands understand what they look like from the outside-in,” notes an associated blog post, “they can begin developing a digital threat management strategy that allows them to discover everything associated with their organization on the internet, both legitimate and malicious, and monitor it for potentially devastating cyber-attacks.”

Last month, researchers at RiskIQ connected some the dots in this huge database and discovered that the small Ticketmaster breach reported in June 2018 was actually just a small part of a major campaign, known as Magecart, designed to steal users’ payment details. Incidentally, the Evil Internet Minute notes that there are 0.07 new Magecart incidents (about one in every 14 minutes) somewhere on the internet.

San Francisco, Calif.-based RiskIQ raised $30.5 million in a Series C funding round led by Georgian Partners in November 2016. It brought the total raised by the firm to $65.5 million.

Written By

Click to comment

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...