Trustwave researchers have uncovered eight central control servers - three in the UK, four in the Netherlands and one in Ukraine - that cyber criminals are using to manage one of the world's most prevalent exploit kits.
According to Trustwave, this specific exploit kit, Magnitude, is being used to launch new malware attacks on hundreds of thousands of users in more than 50 countries worldwide - including SA.
While the largest number of infected users is in the US (32 0411), researchers have picked up there have been around 410 victims in SA. Researchers have captured various pieces of information about the attacks -including infected IP addresses, the type of malware used, dates the attacks occurred, compromised Web sites users accessed and more.
"People get infected without realising it. The malware targets users who are running outdated, unpatched browsers and certain plug-ins such as Java. Users can get infected by simply visiting a Web site. Their browsers can load content from a malicious Web server, giving the criminals full access to information on the infected computers," says Trustwave.
Extensive exploit
Exploit kits are malicious toolkits that come with pre-written exploit code, used by cyber criminals to exploit security holes found in software applications in order to spread malware.
Based on detections by the Trustwave Secure Web Gateway in 2013, Blackhole was the most prevalent exploit kit at 49% incidence. Magnitude was the second most prevalent kit detected, at 31%. In the first half of 2014, Trustwave researchers discovered an instance of the Magnitude exploit kit that shed light on how the kit has evolved in recent months.
"The arrest of Blackhole's creator, Paunch, in 2013, led us to believe that its prevalence would continue to decrease and Magnitude would start to fill the void. The Magnitude instance we recently discovered gave us a closer look into how its creators profit from it, how users administrate the exploit kit and how exactly it infects its victims.
"Unlike exploit kits of the past, customers cannot rent Magnitude for weekly or monthly use. Instead, the creator of the Magnitude instance we discovered takes a percentage of the customer's infected victims as payment. Depending on the amount of traffic generated by a particular customer, the kit's creator will siphon 5% to 20% of the victim traffic to deliver their own malware payload," explains the security firm.
According to recent research, it appears the creator prefers the Cryptowall Defence ransomware. Cryptowall Defence encrypts a victim's files and charges around $500 (about R5 300) for the files to be decrypted.
In one particular week, Trustwave data shows, victims deposited approximately $60 000 (about R640 000) worth of Bitcoin into the creator's wallet.
Trustwave says businesses can prevent attacks by making use of anti-malware technologies that can detect and block malware in real-time. It says businesses also need to make sure they have the manpower and skillsets required to help ensure the technology is continuously updated and working properly.
As for consumers, says the company, they should make sure their software is updated and patched. "Oftentimes the criminals check that the distributed malware is not detected by many anti-virus vendors at the time of distribution, therefore anti-virus products will have very limited success in blocking the distributed malware."
Share