The exact details as to how this access was obtained could not be publicly disclosed. However, CSO can report that law enforcement was informed of their findings, and that the eight servers examined for this report were all located in the United Kingdom. Exactly what law enforcement plans to do about the situation wasn't disclosed.
As things currently stand, Magnitude commands 31 percent of the exploit kit market. However, the only way to gain access to Magnitude for use in a campaign is to know someone. This level of introduction, or the friend-of-a-friend barrier, protects Magnitude's operator (believed to be a single person in Russia), while creating a unique business model.
Unlike most exploit kits, where access is based on a pay-per-campaign model, the person behind Magnitude only requires a percentage of the campaign's traffic. The percentage amount depends on the campaign itself and the overall traffic volume, but the typical access fee for Magnitude is anywhere from 5-20 percent.
When it comes to their percentage of the traffic, Magnitude's operator will install their own malware, which usually different from what their customers are using. In previous campaigns, the payload delivered to the commissioned traffic is typically Ransomware (e.g. CryptoLocker or CryptoDefense), a pattern that remains to this day.
Examining the logs of a campaign that recently finished, and tracking the Bitcoin transactions referenced within them, Trustwave's research team determined that Magnitude's operator was generating a weekly income of $60,000 to $100,000 USD.
This income came from Ransomware infections, where the victim was asked to pay between $300 - $500 USD in order to get their files back. However, this financial data is based only on the Bitcoin wallets that Trustwave was able to track, it does not account for wallets that remain unknown.
Still, acting as a clearinghouse for campaign traffic, whoever is behind Magnitude stands to make nearly $3 million per year simply by maintaining infrastructure.
Magnitude's customers are responsible for generating traffic to the kit's landing pages. Again, this traffic is what sets the commissioned percentage curve, so the larger the volume, the less the operator takes for their cut.
So, while the customer is given a customized URL for Magnitude's landing page, the rest of the campaign's operation is in their hands. In order to drive as much traffic as possible to the landing pages, criminals will initiate spam campaigns, Black Hat SEO operations, website compromises, and anything else that will help them get traffic. This is why the attacks on Yahoo, WordPress, and PHP.net were important. They were signs of traffic creation campaigns, initiated to gather as much traffic possible with the least amount of effort.
Sign up for CIO Asia eNewsletters.