Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Exposed: An inside look at the Magnitude Exploit Kit

Steve Ragan | Aug. 6, 2014
Researchers at Trustwave have provided CSO with an inside look at the Magnitude Exploit Kit's infrastructure.

But what is it about crime kits that makes them so popular? Until a few years ago, crime kits were essentially unheard of, but now they're a primary part of most criminal operations online. This trend, Cox told CSO, is driven by the lower technical sophistication of the threat actors.

"The skill set required to get into cybercrime at this time is low, and the availability of exploit kits, botnet kits, etc reflect this," Cox added.

Magnitude makes itself known:

In October 2013, Magnitude made headlines when the kit was used in an attack on visitors to At first, when Google flagged the development platform's homepage as malicious, there was speculation that the warnings were little more than a false positive.

However, less than a day later, administrators confirmed that their servers were breached. Visitors were redirected to Magnitude via a compromised JavaScript file, and targeted by exploits for various vulnerabilities in Java and Adobe Flash.

Earlier this year, Magnitude gained additional public attention after the kit was used in an advertising attack on Yahoo. Criminals purchased ad space on Yahoo, and used the ads to redirect visitors to domains hosting the Magnitude landing page. From there, the kit would attempt to exploit vulnerabilities in Java in order to deliver malware.

Investigations into the attack revealed that the criminals were delivering various malicious payloads including Zeus, Andromeda, Necurs, Zusy, and Ngrbot. However, the most common infection seemed to be malware that focused on generating ad clicks. While the attack was caught in early 2014, there was evidence that the campaign itself had been active since December of 2013.

Researchers at Cisco concluded that the Yahoo incident was a small segment in a much larger campaign ran by the same group of criminals. Following the trail outlined by Fox-IT, Cisco discovered a large cache of 21,871 host names from 393 different domains [full list] that matched the pattern used by the domains delivering malicious ads to Yahoo. In addition to Fox-IT and Cisco, FireEye also posted a technical analysis of the attack, reaching many of the same conclusions.

Soon after, in February, researchers at Webroot noticed an uptick in the number of infected WordPress websites being used as steppingstones to Magnitude-based infections. The websites were compromised at scale; levering the legitimate nature of the website itself as a way to develop trust, and visitors were directed to Magnitude after a somewhat complex chain of redirects.

In hindsight, each of these incidents offered a small glimpse into how Magnitude works, but they were only puzzle pieces at the time.

Magnitude's Malware-as-a-Service offering:

In order to offer such a detailed glimpse into Magnitude, researchers at Trustwave needed to gain access to the servers that control some of the kit's infrastructure.


Previous Page  1  2  3  4  5  6  Next Page 

Sign up for Computerworld eNewsletters.