The following is a guest post by Jacob Pimental a Senior CyberSecurity Analyst T. Rowe Price.
This will be a brief tutorial on using Open Source Intelligence (OSINT) to hunt down Magecart infections. I will go over some tools that could be used to pivot off of indicators and find new ones. I will also be giving a brief overview of my new tool, Gunslinger, and how it can be used to hunt for new infections.
Open Source Intelligence (OSINT) consists of data that is publicly available on the internet. Normally this information is found from free sources, such as social media, public WHOIS entries, or free web scanners. In our case we will use public Domain information and HTTP Content to find more Magecart domains. The tools below are the ones I use to gather this intel.
RiskIQ’s PassiveTotal allows you to search for domains, IPs, ASNs, certs, etc. and will provide a ton of data on what you search for. You can also set up monitors on IOCs to see if infrastructure has changed (i.e. domain resolves to different IP). You can also use PassiveTotal to see other domains that an IP resolves to, which is useful for finding other malicious domains related to that campaign. The RiskIQ team have also published a few projects on there that are good jumping off points when starting your hunt.
Register for the Source Defense Webinar featuring Jacob Pimental: Inside and Beyond Magecart: What You Need to Know to be Protected