Full width home advertisement

Post Page Advertisement [Top]

We recently alerted by our IDS on a possible SocGholish domain visit. After research, we found several others that we added to our alert/block list in our security tools. Since then, we have been hit with several alerts for IP’s and websites flagged as malicious or staging areas. Some of my folks are asking why security tools are not detecting the infection bringing users to these site. I am wondering though if our tools have anything to detect? Several times I have seen this as a result of a google search or navigating to a legitimate web site and hitting a shadow subdomain.

Only a couple times have I been able to recreate the conditions and user actions of a SocGholish alert trigger.

This was when I did a google search for ‘’elevator speech” and got a result page with sponsored links. Click on the sponsored links triggered the alert with no download or application executing. I have since recreated the search, but the sponsored links are not visible now. This is most likely the case as sponsoring is paid service and the time has passed.

Our second case was a user clicking a sponsored link to visit camps[.]topgunnbaseball[.]com which we found to be a shadow subdomain. It’s IP was wholly different than the parent domain. A specialist noticed that topgunnbaseball and the sponsored links the users visited to get the DDI alert referenced a font CDN such as fontawesome, which in turn may also be appropriated by threat actors as a landing page for redirect or fileless launches. Still researching that.

Another case is the other day going to serjobs[.]org. The site is legit, I do not not get any warning or notification from Defender, but I do get it from a Malwarebytes extension when visiting the site. There is no visible widget or code that I can see going to topgunnbaseball

So our dilemma is that we are being more reactionary. I am unable to find a root cause for this other than perhaps embedded ‘widgets’ on pages, malvertising on sponsored links, or perhaps like the specialist said appropriated font CDN. Any thoughts or pointers would be appreciated. submitted by /u/Praezin
[link] [comments]


http://dlvr.it/T56vNP

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
'; (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })();

Bottom Ad [Post Page]

Copyright 2017, " Vpentest ". All rights Reserved.
| Designed by Colorlib