Hacker Intelligence Initiative (HII)
Issued approximately six times a year, the Imperva Hacker Intelligence Initiative (HII) reports go inside the cyber-underground to provide in-depth, forward-looking analysis at trending hacking techniques and interesting attack campaigns. These provocative, creative and innovative research papers aim not to solely understand what has happened in the past, but to deep dive into what is ahead and what’s needed to proactively stay ahead of hackers’ next moves.
Phishing made easy: Time to rethink your prevention strategy?
In this report, Imperva researchers expose how cybercriminals are lowering the cost and increasing the effectiveness of phishing by leveraging compromised servers and turnkey phishing services, which are the key drivers of the overall increase in phishing attacks.
HTTP/2: In-depth Analysis of the Top Four Flaws of the Next Generation Web Protocol
This report analyzes the four high-profile vulnerabilities which the Imperva Defense Center team uncovered in the latest implementation of the Worldwide Web’s underlying protocol. Read this report to find out more about the exploitable vulnerabilities which the team discovered in nearly all of the new HTTP/2 components.
Black Hat SEO: A Detailed Analysis of Illegal SEO Tactics
Researchers at the Imperva Defense Center have discovered a series of long-running, multi-vector search engine optimization (SEO) campaigns that exploit vulnerabilities in thousands of legitimate websites to illegally increase the SEO results for malicious websites. Read this report to find out how hackers use these botnet-driven SEO attacks to promote malicious websites.
Attacking SSL when using RC4: Breaking SSL with a 13-year-old RC4 Weakness
RC4 is the most popular stream cipher in the world. It is used to protect as many as 30 percent of SSL traffic today, probably summing up to billions of TLS connections every day.
In this paper, we revisit the Invariance Weakness—a 13-year-old vulnerability of RC4 that is based on huge classes of RC4 weak keys, which was first published in the FMS paper in 2001. We show how this vulnerability can be used to mount several partial plaintext recovery attacks on SSL-protected data when RC4 is the cipher of choice, recovering part of secrets such as session cookies, passwords, and credit card numbers. This paper will describe the Invariance Weakness in detail, explain its impacts, and recommend some mitigating actions.
Anatomy of Comment Spam
Comment spammers are most often motivated by search engine optimization, so that they can use a promoted site for advertisement and malware distribution. Attackers are also known to use comment spam for the purpose of click fraud. The comment spam issue has become so prevalent that organizations are fighting back, by implementing mitigation services. Interestingly, there have been incidents of spammers fighting anti-spammers in an attempt to shut down those mitigation services, and many of those counter attacks have been successful.
In our research, we examined the attacker’s point of view, including the comment spam techniques and tools. In addition, we examined the victim’s point of view to understand how organizations deal with comment spam today.
The Non-Advanced Persistent Threat
In this report, we focus on the phases of escalating privileges and collecting information. We expose some powerful, yet extremely simple techniques that allow attackers to efficiently expand their reach within an infected organization. We show how attackers achieve their goals without resorting to zero-day vulnerabilities and sophisticated exploits, and how organizations can protect themselves against the outcomes of such attacks.
The target of the attack we analyze in our report is the enterprise’s confidential information stored on file servers, Microsoft SharePoint, or database servers. Confidential information may include intellectual property, deal data, source code, payment card information, personal information, trade secrets, research data, financial secrets, etc.
Get What You Give: The Value of Shared Threat Intelligence
The Imperva Defense Center analyzed real-world traffic from sixty Web applications in order to identify attack patterns. The report demonstrates that, across a community of Web applications, early identification of attack sources and attack payloads can significantly improve the effectiveness of application security. Furthermore, it reduces the cost of decision making with respect to attack traffic across the community. Here's how, based on the traffic analyzed by the Imperva Defense Center:
- Multiple target SQL attackers generated nearly 6x their share of the population.
- Multiple target comment spam attackers generated 4.3x their share of the population.
- Multiple target RFI attackers generated 1.7x their share of the population (this amounted to 73% of total attacks).
Lessons Learned From the Yahoo! Hack
On December 2012, a hacker claimed to have breached Yahoo!'s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server for that domain. Technically, we found that the hacker was able to determine the allegedly vulnerable Yahoo! application and the exact attack method, a SQL injection. This attack underscores the security problem posed by hosting third-party code as is often done with cloud-based services. Our report explains:
- How to protect third-party Web applications against SQL injection and other Web attacks.
- Why security should always assume third-party code coming from partners, vendors, mergers and acquisitions contains serious vulnerabilities.
- Putting in place legal requirements in a contract for what you will and will not accept from a security perspective and incorporating security due diligence for any merger or acquisition activity.
Monitoring Hacker Forums
The Imperva second annual hacker forum analysis detects black market for social network fraud. By examining what information hackers seek out or share in forums, security teams can better understand where hackers are focusing their efforts. One thing is unmistakable: If organizations neglect SQL injection security, we believe that hackers will place more focus on those attacks.
The Anatomy of an Anonymous Attack
This Imperva Defense Center report details the never-before-seen details on an attack by hacktivist group 'Anonymous' against a high-profile unnamed target during a 25 day period in 2011. The Hacker Intelligence Summary Report - The Anatomy of an Anonymous Attack - offers a comprehensive analysis of the attack including a detailed timeline of activities from start to finish, an examination of the hacking methods utilized as well as insights on the use of social media to recruit participants and coordinate the attack.
Monitoring Hacker Forums
As a part of the Imperva hacker intelligence initiative, we monitor hacker forums to understand many of the technical aspects of hacking. Forums are the cornerstone of hacking - they are used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction. Forums contain tutorials to help curious neophytes mature their skills. Chat rooms are filled with technical subjects ranging from advice on attack planning and solicitations for help with specific campaigns. Commercially, forums are a marketplace for selling of stolen data and attack software. Most surprisingly, forums build a sense of community where members can engage in discussions on religion, philosophy and relationships.
Blind SQL Injection Attacks Evasion
Blindfolded SQL injection does not result in elaborate SQL error messages that are typically used to add SQL injection signatures. New techniques in SQL injection are rendering traditional “security by obscurity” approaches ineffective. Find out why application level security can handle the blindfolded SQL injection attacks better.
SQL Injection Signatures Evasion
If you think SQL injection signatures are enough to protect your web applications, you will pay for it dearly. Imperva research labs delves into the details of how hackers can evade SQL signatures and get to your data.