Summary

RedXray is a daily cyber threat notification service through Red Sky Alliance that simplifies cybersecurity monitoring for organizations and supply chains. This document summarizes threats reported by RedXray for RumbleOn Inc. over the past three years.  In this timeframe, data from multiple collection indices was observed.  RumbleOn is currently trading while up 10.8%.[1] Increased cyber targeting can occasionally be seen during times of economic success.

Raw data is also available in companion .CSV files.

3729820497?profile=RESIZE_710xDetails

RumbleOn Inc. is an American online automotive retailer headquartered in Coppel, Texas.  The company currently appears to be in a period of growth, recently adding a VP of Strategy and Business Development and Director of Technology to their leadership team. 

RedXray “hits” are derived from primary sourced intelligence collections and take inputs from customer infrastructure, such as domains and IPs.  The following is an example of the RedXray dashboard displaying threats for domains, networks and companies associated with RumbleOn Inc.

 3729840664?profile=RESIZE_710x

 

RedXray focuses on four general categories: Malware Infections, Data breaches, Malicious emails, and Phishing.  The following are examples for RumbleOn Inc. with context and general mitigations.

 

RECENT DATA (< 6 MONTHS AGO):

  • Data Breaches & Leakage

This includes any sensitive data that has been compromised whether as a result of malware infection or a 3rd party database breach.  Breach data can come from several other sources on the deep and dark webs. At this time, there is no related breach data for RumbleOn’s domain rumbleon.com within RedXray.

What does this mean?

Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information (PII).   RedXray contains the raw breach data so you can easily view what type of data has been exposed. If the breach data contains passwords, then Red Sky Alliance recommends enforcing a password reset and investigating whether there has been unauthorized access of the account.

 

  • Malware Infections

RedXray can identify possible malware installation using either our botnet tracker collection, sinkhole_traffic collection, or keylogger collection.  In many cases, it can also identify the malware protocol resulting in high confidence hits. The following shows botnet related hits for RumbleOn. Respective IP addresses have been redacted for privacy.

3729874814?profile=RESIZE_710x

HISTORICAL DATA (> 6 MONTHS AGO):

  • Malware Infections Continued

RedXray can identify possible malware installation using either our botnet tracker collection, sinkhole_traffic collection, or keylogger collection.  In many cases, it can also identify the malware protocol resulting in high confidence hits. The following shows keylogger related hits for a mail server which RumbleOn uses for email communication.

3729888122?profile=RESIZE_710xWhat does this mean?

If your IP address or domain is found in botnet tracker, it means that it was seen in a communication with a malicious endpoint.  This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate. For keylogger related activity, the traffic may be the result of a captured weblog or clipboard data captured by a keylogger. All traffic should first be inspected before escalating to incident responders. Red Sky Alliance can help with support.

 

  • Malicious Emails

It is good to be aware of malicious email campaigns targeting your organization because it serves as an early warning. If your domain or IP address shows up in this collection, then it was observed in the header of an email that has been identified as malicious (1 or more AntiVirus detection). The following is an example of an IP address belonging to the RumbleOn email service provider being targeted with malicious emails.

3729912707?profile=RESIZE_710xWhat does this mean?

It should be noted that some AV vendors classify emails as malicious when they are benign.  All malicious emails hits only indicate targeting, not malware infections or data-loss. Since the above is an example where an email server was targeted, it is important to note that this does not necessarily mean RumbleOn is directly being targeted by a malicious email, but that the RumbleOn email service provider is hosting mail servers on which malicious emails are being relayed.

 

  • Pastebin

Pastebin is a site used by bad actors to post data, which may be sensitive, for others to view it freely. Oftentimes the hacking group Anonymous will use Pastebin to list targets for the group’s members to attack. The following are examples of Pastebin hits in which RumblOn’s IP address was mentioned.

3729948722?profile=RESIZE_710xWhat does this mean?

A Pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each Pastebin hit must be individually analyzed to determine context.

 

  • Phishing

Phishing attacks are responsible for a large amount of compromised credentials.  Our Threat-Recon collection aggregates phishing data and we allow searching of keywords in this data set in order to identify both targeted phishing attacks and spoofed URLs.  The following shows related phishing hits for the IP address on which Rumbleon.com is hosted. IP address redacted here for privacy.

3729925087?profile=RESIZE_710xWhat does this mean?

If you receive a phishing hit (ThreatRecon) in RedXray then the first step is to first identify if the phishing campaign is targeting an organizational account or targeting the organizations customers.  Red Sky Alliance can assist in providing context to these hits.

 

Conclusion

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is in New Boston, NH USA.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at  (888)-(RED)-(XRAY) or (888)-733-9729, or email feedback@wapacklabs.com   

Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en

 

[1] https://www.nasdaq.com/articles/thursday-sector-leaders%3A-precious-metals-auto-dealerships-2019-11-14

 

Link to Full report: RTT - RumbleOn Automotive (Redacted).pdf

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Resources

 

CASE STUDIES