FireEye has recently identified cyber threat actors utilising an advanced script to monitor the online activities of Internet users without their knowledge.
Perpetrators alter specific websites to redirect visitors to a profiling script, called WITCHCOVEN. This script collects detailed information about the user’s computer and installs a persistent tracking tool called a ‘supercookie’, which becomes part of a unique ‘browser fingerprint’ that can identify the user’s computer moving forward.
While the WITCHCOVEN script has not been classified as malicious so far, it is believed that the true intention behind the deployment of WITCHCOVEN is for cyber threat actors to identify targets of interest and tailor attacks based on their vulnerabilities. The threat actors would have access to sensitive information such as a user’s IP address, browser type and browser language. The information gained using WITCHCOVEN could enable attackers to build up a profile of potential victims. They could leverage the same data to perform web analytics – the same kind used by legitimate businesses – to profile users for malicious activity.
A recent example of this tactic is Operation Clandestine Wolf, in which APT 3 (a Chinese threat actor), used a profiling script before deploying a Flash zero-day exploit. So far, over a hundred compromised websites have been discovered, which redirect visitors to the WITCHCOVEN script.
The list of compromised websites indicates that the threat actors are interested in collecting information from executives, diplomats, government officials and military personnel, particularly those in the United States and Europe. Various sectors have reported the profiling script, such as education, government, financial services and energy. In recent times, APT actors have shown an interest in amassing large amounts of personal data. In all likelihood, the purpose of this is to create databases to keep track of current and future targets of interest. The lack of any obvious exploit or malware delivery so far suggests that this is a long-term operation to fulfill specific intelligence requirements.
The best way to combat this tactic is blocking script execution or the use of third-party cookies, enabling privacy enhanced browsing. However, these measures may also prevent legitimate site content from loading. Organizations may be better off focusing on detecting or preventing follow-on attacks through best practices, including disabling unneeded plugins, ensuring that systems and applications are patched, and monitoring hosts and networks for suspicious traffic.