Unknown and unsecure domains continue to be a problem for businesses.
According to RiskIQ’s The Anatomy of an Attack Surface: Five Ways Hackers are Cashing In report, the five ways were determined to be:
- Modern websites are made up of plug-ins, third party applications and many can be vulnerable to common vulnerabilities and exposures
- Shadow IT and M&A activity creates a monolith of unmanaged pages, domains and servers
- Phishing domains pretending to be recognized websites
- Mobile app stores continue to offer blacklisted apps
- Cryptomining software is prevalent on websites
RiskIQ mapped the global internet attack surface over a two week period and found that 3,495,267 new domains were created (249,662 per day) and 77,252,098 new hosts, and these included 1,713,556 Wordpress plug-ins and 1,814,997 CMS instances overall. Of the Alexa top 10,000 domains, 3390 were running one potentially vulnerable web component; 1,036,657 potentially vulnerable web components were found overall.
Fabian Libeau, VP of EMEA at RiskIQ, said that most attacks are still about making money. “People underestimate the complexity of the business,” he told Infosecurity. “A lot of focus was put on policy audits, like data center access controls, and financial services generally understood it but they do e-commerce with their customers and a lot of the issues are not about being focused.”
The second finding determined that organizations lack a complete view of their internet assets, with RiskIQ claiming that new customers typically find 30% more assets than they thought they had. Its research on the FTSE30 found each has: 9896 dormant websites, four websites with expired certificates, 616 websites collecting PII and 120 websites with a potential critical score CVE.
Libeau added that 50 websites studied were running the Private Web Server function of Windows 2000. He said: “Maybe they don’t think they are doing anything wrong if no-one knows about it?”
In Q1 of 2018, RiskIQ found 26,671 phishing domains impersonating 299 unique brands. Regarding cryptomining, an average of 495 new hosts were running miners each week in Q1, while 11 instances of cryptomining were found on FTSE30 websites.
“Some of the cryptomining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them,” the report said.
RiskIQ said that a takedown of a rogue domain can often be done in minutes, but often the attacker reappears with new domains after they have found new IP addresses.
Jay Huff, EMEA marketing director at RiskIQ, told Infosecurity that one of the problems is that “lots of companies don’t have external threat recognition, they have endpoint and network security but are lacking in an external firewall.”