Exploit kits comprised of malicious programs that identify and then attack cyber-vulnerabilities and spread malware represent the dark but massively profitable side of cybersecurity attacks.
The kits are created, sold and rented, individually or in bundles, on the black market. The majority released today come from countries with a thriving underground cybermarket, like China or Russia. Bundled exploit kits are encrypted to evade malware detection by security software. To rent a bundle for a week costs just £85, and if a cybercriminal needs only 24 hours for his attack, the same bundle is less than £20.
These exploit kits are frameworks with packaged client-side exploits and payloads created by cybercriminals to automate the process of infecting and infiltrating end user systems. The kits allow cybercriminals to easily scale their operations and evolve quickly to the changing infection vector landscape. Various exploit kits have surfaced in the last few years, such as Crime Pack, Phoenix, Elenore, Neosploit but the most prevalent one has been the Blackhole exploit kit.
According to a report by the Internet Crime Complaint Center (IC3), the Blackhole exploit kit is the most widely purchased kit in the underground market. It originates from Russia and is sold on various underground forums. The kit was first seen in September of 2010 and has been updated regularly since then. It sells both as a licensed tool as well as a hosted solution.
The kit has quarterly, semiannual and annual licensing options, but the hosted option makes it extremely easy for cybercriminals to build a new cybercrime setup without spending much time or effort. An annual license costs under £1,000 whereas a hosted solution can run as high as £4,000 annually, according to the advertised pricing on the underground forums. It is a web-based kit and follows a drive-by infection model through the web browser.
In a typical infection scenario, an unsuspecting user is lured into visiting a malicious link that redirects to the Blackhole exploit kit hosting site which starts to try to silently inject the kits in the background. When an exploit succeeds, it leads to the silent download and execution of malware. This kit is known to target various vulnerabilities in Java, Adobe Flash, Adobe Acrobat, Internet Explorer and Windows.
We predict exploit kits will be increasingly used because of their ease of deployment (rental model) and the ease and speed with which they deliver infections. The impact of these attacks will be felt in loss of data, intellectual property identify theft, financial fraud and theft, as well as in diminished business productivity and continuity.
Dell SonicWALL estimates that 70%-80% of attacks via the Internet now originate from exploit kits and expects to see continued focus and growth of these kits targeting Windows 8, Mac OS X and mobile devices, particularly Android-based.
Sign up for CIO Asia eNewsletters.