In the past several months Cisco Cognitive Threat Analytics (CTA) researchers have observed a number of blog sites using either fake content or content stolen from other sites to drive traffic to click on ad-loaded web sites. We have observed traffic volume up to 10,000 requests per hour, targeting hundreds of sites. The estimated lifetime of this campaign is at least 9 months. With a single click worth anywhere from $0.01 and $1, these scams can yield substantial returns for their owners.
Fake blogs are not new, but these actors are operating with a slightly different MO. Effort has been made to evade web reputation based blocks and hide from the eyes of investigators. First, we observe a large number of similar sites with word-based and topic-based generated domain names. These sites look like benign travel-related blogs full of content at first sight. Secondly, most of the intermediate infrastructure will redirect a random request away towards Google, making the investigation more difficult.
The general traffic pattern was observed as follows:
Large numbers of requests arrive from infected clients to the fake blog sites. To look less suspicious, the requests look like search queries – for example: cruiserly.net/search/q/greyhounds.
There is a series of redirects via intermediate sites, which are already associated with click-frauds – for example: findreek.com.
These redirects bring the clients towards another set of fake sites, with travel related names (e.g. tourxperia.com), this time these sites have no content.
Finally, clients are sent to browse arbitrary web sites to generate clicks and/or revenue.
“It’s our thesis that privacy will be an integral part of the next wave in the technology revolution and that innovators who are emphasizing privacy as an integral part of the product life cycle are on the right track.” —The Privacy Engineer’s Manifesto, 2014
Privacy in an always and increasingly connected world is a complex topic. Does privacy mean the same thing it did 20—or even 10 years ago—before we all used smartphones and social media? How does data that we generate in our connected day tell a story, become monetized, and get purposed and repurposed? How do vendors ensure that privacy is designed into products and services?
These are issues that Michelle Finneran Dennedy, a leading authority on privacy, corporate policies, and the protection of the Internet, is passionate about—and so is Cisco. So I’m very pleased to say that Michelle joined Cisco as Vice President and Chief Privacy Officer today. Simply stated, welcome, Michelle! Read More »
The security of our customers is critical, and when needed, we pull out all stops to protect them.
Cisco participates in a large ecosystem of partners, industry peers (yes, that includes competitors), and non-profits that provides insight and awareness into a multitude of security threats. We also have deep internal expertise. The Cisco Talos organization is focused on threat research and content for our security offerings, our Information Security teams protect Cisco’s own network, and our PSIRT organization delivers coordinated vulnerability management.
Together these teams and partners represent a powerful ally for Cisco customers, working around the clock to develop robust detections and protect the integrity of Cisco IOS devices.
Our Talos team, along with one of our ecosystem partners Shadowserver, have been scanning to detect potential exposure to the malware now known as SYNful Knock. Many of our enterprise and service provider customers have seen the increase in scanning from Shadowserver to detect the related Indicators of Compromise (IOCs).
Shadowserver has established reporting capabilities, and at our request, additional data will now be included for potential matches to the SYNful Knock IOCs. Existing ShadowServer customers will benefit from this additional reporting soon. If you are not currently receiving their reports, you can request service on their website.
We believe this activity supports Cisco efforts that are already underway to identify and alert customers to potential exposures. It adds to the conversations we’re having with customers about the need for broad-based risk assessment, containment, and remediation. Our focus is on the integrity of Cisco devices, for this set of IOCs and beyond.
In so many parts of life, the passing of time is a benefit. Wine and whisky mature, intelligence is gained, and friendships grow stronger. For those of us working in IT security, however, the passing of time brings new challenges. Prolonging the use of older technology exponentially increases risk and the resulting problems can cost more than recommended maintenance/upgrades.
Let’s consider three facts:
Fact 1: IT is fundamental to the economy, safety, health, and well-being of the world’s societies. Today’s IT systems support everything from advanced medical research to a country’s economic growth.
Fact 2: Attacks on IT will continue to evolve in terms of efficiency, complexity, and deviousness. The need for better prevention, detection, and remediation recovery from cyber attacks continues to grow.
Fact 3: IT devices are developed to perform securely within the known constraints and challenges of their launch environment, with flexibility for some upgrades. But at some point, all technology reaches a lifecycle limit. Quite often that limit is less about the device’s ability to “just power up” and more about it doing so securely.
Consider these facts together and what is the conclusion?
This attack isn’t caused by a problem or vulnerability with a Cisco product. It results from an attacker stealing administrative credentials or getting physical access to a networking device, allowing them to load a modified version of operating system software.
Just as technology advances, so too do the nature and sophistication of attacks. Although Mandiant’s research focuses on a specific piece of malware, we believe that it is an example of an evolution of attacks. Attackers are no longer focusing just on disruption, but on compromising credentials to launch an undetected and persistent attack.
For many years we’ve known that networking devices and their credentials are high-value targets for attackers. There has always been a need to protect them accordingly. This was something we reinforced last month in this security bulletin: Evolution in Attacks Against Cisco IOS Software Platforms
We know this is an important topic for our customers, so have created an on-demand webcast outlining how to detect and remediate this type of attack:
The webcast also continues the conversation about good operating procedures, like network hardening and monitoring, that can help prevent this type of attack. The resources it describes can also be found on our Event Response Page.
If you have any additional questions about SYNful Knock, including how we can help implement some of these recommendations, please speak with your Cisco account manager.
If you are experiencing immediate technical challenges and require support, the Cisco Technical Assistance Center (TAC) is here to help.
And if you’re a member of the press with questions, please contact my PR friends at firstname.lastname@example.org.