Researchers at Trustwave have provided CSO with an inside look at the Magnitude Exploit Kit's infrastructure.
Linked to attacks against PHP.net and Yahoo, this kit has gone from obscurity to a certified threat in a short amount of time, while generating more than $60,000 USD per week in income.
Crime Kits are a way for Web-based criminals to automate their business. Some kits focus on malware alone, enabling total control over delivery and management. Others focus on controlling traffic, making them perfect for advertising fraud and Black Hat SEO operations; but at the same time, they can also be used to drive traffic to the third type of kit — exploit kits.
Exploit kits exist to initiate drive-by-download attacks. Sometimes these kits will find their way into a watering hole attack, but that's the exception and not the rule. The process is straightforward; one part of the kit targets vulnerable software with a previously determined list of exploits, while the other (assuming the exploit was successful) will infect the recently compromised system with malware.
Exploit kits, "are one of the primary methods today for distributing malware and infecting users all around the world," explained Trustwave's Director of Research, Ziv Mador, in an interview with CSO.
One of the most notorious exploit kits in recent times was called Blackhole. The Blackhole Exploit Kit was first released in 2010, and during the three years it was active, it became the most used exploit kit on the Web. At one point, nearly 30 percent of the drive-by-download attacks on the Internet could be linked to Blackhole.
However, the giant came crashing down once the person behind its development - known as Paunch - was arrested in October of 2013. In a bind, criminals needed a new kit to turn to, and the Magnitude Exploit Kit (Magnitude / a.k.a. PopAds) seemed fit the bill.
One of the first criminal enterprises to move to Magnitude was the Cutwail botnet. When Blackhole went offline, the Cutwail botnet suffered a slight setback in URL and attachment spam levels.
At the time, the operators of Cutwail were mainly focused on distributing the GameOver Zeus malware via Pinterest-based Phishing campaigns. So by moving to Magnitude, with an established infrastructure and solid list of exploit options, Cutwail's operators were able to recover quickly.
But in the grand scheme of things, exploit kits are themselves, an up and coming business model, explains RSA-FirstWatch Senior Manager, Alex Cox.
"The bad guys can charge less for the service and work with more scale, and it's appealing to the buyer because they don't have to setup their own infrastructure. It was really successful for the operator of the Blackhole Exploit Kit in the past, but the downside for the criminal is that it focuses takedown and law enforcement attention on them."
Sign up for Computerworld eNewsletters.