1.2 Mark of the Web Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

23 minutes
Video Transcription
So right off the bat within just one pivot on the Facebook i d. We were able to find something that stuck out a little bit in terms of Web property that may not be legitimate. When we went over to it sort of had all the right things and had a history of it was brought up on line wasn't around long, but it doesn't necessarily
media, and it's had the same I P address the whole time.
Say might be the whole time. Who is What's, you know, proxy domain by proxy of privacy Protected had an SSL certificate, one that appeared to be painful way had some some remains there that were a little strange, but like it wasn't completely out of, Please.
Uh, and then we had that mark of the website, which, to me, was kind of the kicker.
You know, there's no reason why match dot com should be going saving their pages individually in order to do this. Now, is there anything we can do? The leverage that mark on the Web to now find other sites? That might be,
Yeah, that's a great question. So one of the things that we could do at this point is we could continue exploring very quickly some of the other tabs here. But if we wanted to just probe a little bit deeper into that market Web, we can actually run a pivot on the match dot com Showing up inside of the mark of the Web sources
and what we identify. Here's 12 other Web pages that have appeared to have copied the match dot com with age. Yeah, yeah. So what's really weird to me is like we had a bunch of the same subject means that we saw lyrics mantra a couple other Web pages that don't appear to make sense,
but they're using the same sort of technique.
There's an animal side, my group, those things together. But then we got matching com dot g A. Um,
this one to me is kind of strange. Delta
corporal Otto dot com. I don't know what that means, but I mean very quickly we went from match dot com
Thio an analytical I D. That's legitimate and completely and buy them to something that's fishing these
now we opened up a bunch of other things here, too,
specifically Google account number. So let's see there's that Delta. So we got our well, that's not dealt with everything being this 10 yeah, there's so you're right. Yeah. So, apart from being copied for Market the Web, there's also that overlap again with the Google accounts and Akula analytics. We have our original extravagance. Ironworks.
Um, if we continue to go down here, we have other things like MASH Atlanta, MME.
Uh, Paris Institute.
Big bands foundation dot org's You know, these maybe a stranger's it is. These things might be related to match that, Tom you never know, right, but maybe is telling a different story as well. Maybe match dot com doesn't manage their own Google Analytics and instead uses a marketing firm to do that for them.
So maybe the marketing firm isn't doing a good job and cutting a unique
user agent code for each one of them. So it's hard to say. But things definitely stick out here is being weird. Let's pivot over to our album
source. If science again,
this is what I would expect to see. A typical
is you have match dot com and you got us dot match dot com secured on match dot com That makes sense. They all of these things.
So if we could go back to our trackers here on the original match dot com query, is there any other information that we might be able to pivot off? Let's say let's go and look at this instagram I d and see if you can find anything else.
So what? The results load here? 240 other websites?
No, this is a case where
aka Odeon s is a little weird.
How did it all start that comment? This might make sense. Some places might be Robert's referencing the instagram i d, which is not gonna be as unique. And you would expect that in social media.
So as analysts, what we're striving to do here is apply our analytical rigor and make sure that we're looking at the pivots that we make and we're making calculated ones. So the instagram mind he's probably not as useful as, say, the Facebook out of the picture.
But as the last and final one well took this blue sky site, I d. I don't even know what Blue sky is some sort of service for targeting.
And here we have 384 websites? Yes, PN There's a bunch of stuff in their *** sports
Buckeye amnesia and ESPN Tennis live. So what I think is interesting here is is bluepi some sort of like Sponsor Network? Is it some sort of ad based network? And what we can do is actually go and just want people search, because I'm actually curious now to figure out what this is.
So some people looking to remove Luke, I
Let's go a little bit further in the safe
oracle of glucose.
So it appears that blue guy was purchased by Oracle.
Uh, what is it that we're looking at? Luca's, the industry's leading cloud based big data platform that enables companies to personalize data offline and mobile marketing campaigns with Richard more actual information. So this visit isn't seems legitimate, that with this feat to the comment that I made earlier in a case where, uh,
match dot com may actually be taking some of those targeting functions from the advertising functions and placing them into another service, it appears in this particular case that the same person running ESPN is properties is running match. Exactly Now
they also might be associated with Disney Land as well. You know, just for a final check while we're here. This to me right off the bat with some little strange, you know, maybe it Israel, but I just want to check it while we're looking at it.
That's no, it's fine. So as analysts, what we're doing in this particular case is I think this is a testament that allows you to show starting with something that's good as opposed to reacting allows us to get a more proactive. Now, if you're thinking to yourself well, how often there are new things gonna show up?
Well, that's where we encourage you to actually use our e p I or bookmark the actual pages themselves so you can go back and identify new changes that take place. You can mark. You can bookmark the mark of the Web and constantly rerun that every time you go in just to take a look to see if anything pops up exactly, and chances are you know it's not gonna change that often. But
it's better than having to proactively wait for someone to tell you that someone is fishing your users and going after their accounts.
So We think this is a good approach in terms of using our data to surface things that you may not know. And if somebody is copying your Web
pages and post them someplace else, it's not theirs. They're infringing upon your domain and things like that exactly, so you can take whatever recourse that you want to do or you feel is appropriate for your organization.