How Malware Steals Credit Card Data from Your POS Systems

How Malware Steals Credit Card Data from Your POS SystemsSome of the biggest data breaches involving credit card data, including those that hit Home Depot and Target, were perpetrated by POS malware – we’ll explain exactly how POS malware works.

A brief overview of the market behind POS malware

POS malware is a vital tool in the highly lucrative credit card data theft industry. At the end of the supply chain, there are people who use fake credit cards to purchase products and services. These people source these fraudulent cards from cyber gangs who produce the fake cards.

The gangs in turn source data that make up the cards from carding forums or stores (a.k.a. card malls or card shops) on the dark net or other online black markets. Sellers in these marketplaces typically offer thousands or even millions of pieces of credit card data. Lastly, the people who sell card data in those forums and stores purchase the data in bulk from hackers (yes, we know they’re supposed to be called crackers).

It’s these hackers who employ POS malware. Cyber criminals are drawn to where the money is. As long as there are people down the supply chain who will use fake credit cards, there will always be criminals who will steal the data to make those cards work. As a result, businesses will always be under the threat of data-stealing POS malware.

How a POS system gets infected

Before any POS malware can go about stealing credit card data, it first has to find its way into a POS system. Unfortunately for us, there are many ways for it to get there.

Because POS vendors sometimes need remote access to their products for troubleshooting, applying patches, or performing technical support, most POS devices are designed to directly or indirectly connect to the Internet. As part of PCI DSS compliance, some systems are also required to connect to the Internet in order to perform time-synchronization with NTP servers. Lastly, an Internet connection may also be needed to enable the system to export purchasing, inventory, or other business data to remote servers.

While needed for upkeep, maintenance, security, and other business functions of the device, the Internet also allows attackers to gain access. Here are the most common ways POS systems get infected with malware:

Phishing and social engineering

Not all of these systems are dedicated POS terminals. In fact, many of them are regular desktops that run on Windows. When a POS system is set up like this, it’s likely to be used for other functions like sending/receiving emails, web browsing, checking social media sites, instant messaging, and other online activities.

Unfortunately, these online activities are susceptible to phishing and other social engineering attacks. Once the user clicks a link or downloads an attachment in a phishing email or message, they could end up downloading either the malware itself or a trojan that subsequently downloads the malware.

Unpatched systems

As in most other systems, a POS terminal can also get infected when malware exploits vulnerabilities in the operating system, browser plugins, or the web browser itself. Known vulnerabilities are easily addressed through patches or software updates. Unfortunately, most people don’t patch properly, and many don’t patch at all.

Hacked administrative interface

As mentioned earlier, the main purpose of these Internet connections is for performing upgrades, tech support, and troubleshooting. To perform these tasks, the vendor has to connect through some form of administrative interface. Attackers sometimes brute force their way into these interfaces or take advantage of default settings. Once they’ve gained entry, they then install the malware.

Compromised third party credentials

It’s common for businesses to employ the services of various third parties. Some of these third party providers are given access to either the POS machine itself (e.g. for vendors of software installed on the same machine) or to another device running on the same network as the POS machine. This gives cybercriminals an avenue for attack.

Cybercriminals can steal login credentials assigned to these third parties in order to gain access into the POS system. This type of attack is difficult to trace because if you view the logs, the logins appear to be carried out by someone authorized to access the system.

Other compromised devices in the network

In the event that the POS device is connected to the office LAN but not to the Internet, cyber criminals can still access the device through an indirect attack. They would first attack a device connected to the Internet and use that as a jump off point to reach their main objective.

They can employ phishing, brute force, or an SQL injection on the corporate website. They can even simply hack into a network device whose factory default passwords have not been changed. Once they’ve gotten a foothold into the network, they usually try to acquire administrative-level credentials before finally seeking out the main target – the POS machine. Once they’ve breached to the POS machine, they install the malware.

RAM scraping

So what happens when malware gets installed on a POS system? It does what it’s programmed to do – steal credit card data. Theoretically, there are number of opportunities for malware to steal credit card data from a POS system. First, while the data is stored (a.k.a. data-at-rest). Second, while it traverses the network (a.k.a. data-in-transit). And third, while the credit card data is in memory.

Most POS systems encrypt data-at-rest and data-in-transit (e.g. via SSL/TLS or IPsec), so POS malware rarely strikes at these stages. Cyber criminals can extract the information they need only if the data is in plaintext (unencrypted) form. Usually, this only ever happens when the data is still in memory. This explains why most current malware (including the one used in the Target data breach) attack there.

The process of stealing information from RAM is known as RAM scraping. Depending on the type of RAM scraper, data is stolen either wholesale (i.e. everything is grabbed from memory) or according to a pattern match. RAM scrapers can typically collect the PAN or credit card number, name of cardholder, card expiration date, CVV code, and other information embedded in the cards magnetic stripe. After the data is scraped from RAM, it is temporarily stashed in a file somewhere in the system or in the network.

As more customers come in and have their credit card data swiped, more data is collected and accumulated into that same file. After a certain period, the malware connects to a remote C&C (Command and Control) server and commences with the exfiltration process.

Covert exfiltration and persistence

To avoid being detected, some POS malware encrypts the data before transmitting to the C&C. Some also use HTTP requests in transmitting the data to avoid suspicion. This will make it appear that the POS system is being used for harmless activities like web browsing, allowing the exfiltration process to bypass firewalls and most antivirus solutions.

Note that, when a RAM scraper grabs data from memory, it only manages to grab information from a single card, i.e. the card that was recently swiped. That’s why, as mentioned earlier, the data scraped from memory would still have to be accumulated into a sort of “staging” file. Because it can take some time before a substantial amount of data is collected, the malware has to persist in the system as long as possible for it to be effective.

To do that, POS malware usually employs privilege escalation techniques like tampering logs or disabling antiviruses and monitoring tools. Some types of malware also create backup copies of themselves, which are retrieved in the event their “production” selves are somehow deleted or incapacitated.

Mitigating the POS malware threat

Last year (2016), the rate of identity theft hit an all-time high, with some 15.4 million consumers getting victimized through some form of ID theft. This translated to about $16 billion worth of losses through fraud. Although not all of these incidents involved the use of POS malware, POS malware still remains one of the biggest threats to merchants who haven’t yet adopted EMV chip cards.

To mitigate this particular threat, businesses must adopt a number of security measures, including:

1. Dedicating a POS terminal solely to POS-related functions;
2. If budget does not permit #1, prohibiting employees from using a non-dedicated POS system for non work-related tasks (e.g. personal web browsing, email, or social media);
3. If #2 is still not possible, training employees to recognize and handle phishing emails/messages;
4. Updating all firmware and software;
5. Using reputable antivirus software;
6. Using firewalls and content filtering solutions that identify and block both suspicious inbound and outbound traffic;
7. Ensuring that in-house admins and third parties use strong passwords and 2-factor authentication; and
8. Adopting EMV-enabled cards, which theoretically eliminates credit card cloning.

For help to protect yourself from POS malware, feel free to contact us.

DNS Security Solutions and Your Brand

DNS Security Solutions And Your BrandHow much do you trust a firm once you learn it was the victim of ransomware, data exposure, downtime from a DDoS attack, or some other network breach? If you are like millions of others, you just don’t believe in such firms or sites afterward. That is why you need to consider the longevity and strength of your brand in the face of modern security threats, and implement DNS security solutions that do their best to protect it.

What Can You Do?

We already mentioned DNS security solutions, so let us continue along that thread. In the world of online threats, it seems that DNS has become a popular target for exploits. This is partly due to the rise of IoT or the Internet of Things. These devices are often left unsecured, then infected with malware and turned into an army that floods DNS services and leave their global clients unavailable.

Of course, attacks can also source from within through such activities as torrent and file sharing, adult website visits and other (often prohibited) behaviours. Ideal DNS security solutions would address all of these things through proper monitoring and defence. For example, advanced malware protection, easy to use cloud security solutions, and advanced DNS protection could implement the following actions:

Network policy enforcement – It may seem extreme to create pre-emptive blocks, but your brand’s reputation is worth far more than a few employees feeling annoyed that you cannot just trust them to follow policy. Optimized solutions are able to create effective blocks for tagged traffic patterns, preventing disasters from striking with a single click.

Network protection – Real time protection is nearly impossible to overemphasize, and particularly where DNS security is concerned. When built in a layered design, it will allow you to know that any malicious activity or malware in the system will be identified before it can wreak havoc. A solid solution incorporates botnet, APT and malware or ransomware protections.

Network management – Proper defence of the DNS and network is impossible without the clarity of network assessment and evaluation. Where are your vulnerabilities? Where is there wasted bandwidth? What is the nature of the traffic? It is only through clear data that you are able to make informed decisions about the nature of threats inside or outside of the network.

This is a system of defence that will only enhance your brand. While more and more threats appear, and more and more global names (think Airbnb, PayPal and Sony) are threatened by breaches and botnets, you can easily implement DNS security solutions when you turn to the qualified experts.

Your DNS and IoT Vulnerabilities

Your DNS and IoT VulnerabilitiesAre you properly defended? In the sense of your computer and network safety, do you feel you have a good defence in depth strategy? This is not something to take lightly, and if you wish to truthfully answer yes, you have to be sure you have defences such as a DNS firewall, advanced malware protection, cloud security solutions, and more. Let us take a moment to understand just why this is important to anyone online.

Consider this – the source code for the Mirai botnet was shared online in late 2016. This is a form of malware that converts networked IoT devices into remote controlled bots. These are then used in enormous numbers to perform network attacks at an astonishing scale. In fact, the Mirai botnet actually knocked the entire nation of Liberia offline.

Once the Mirai botnet was shared, though, it split many times over, and now there are multiple Mirai derivatives at work. While you may not yet know what that means to you in terms of security, it is safe to say that you do not want to become victim to it – whether as a business owner or consumer.

To understand why a strong DNS firewall, real time malware protection, and internet security services are important, we need to look at what happened when the Mirai botnet set to work in October of 2016.

Mirai at Work

When the malware had infected enough machines, it attacked and disrupted websites as famous as Airbnb, PayPal, Spotify and the PlayStation network. It did this by taking over IoT (Internet of Things) devices like baby monitors, CCTV systems, DVRs and routers. Though you may not think that the processing power of your CCTV system would amount to much, imagine millions of devices pooling their resources…this is how the Mirai botnet (and many other botnets) operate.

What did it use the power for? It performed a DDoS or distributed denial of service attack that flooded the systems at a firm known as Dyn, a cloud DNS provider. While IT experts are consistently advising against online businesses relying strictly on a single DNS provider in order to ensure accessibility even when under an attack, there are steps that you can take directly to protect yourself.

Considering Real Time Solutions

A DNS firewall is easily one of the strongest ways to overcome the risk of IoT vulnerability, botnets, malware and other threats. It will prevent system connections to known or recognized malicious locations. However, it can also make you aware of the presence of botnets within, or threatening, your network. Because the availability of your website (which is your business) is linked to the availability of your network, you have no real choice but to find ways to implement DNS security solutions. It is the availability of those DNS services that make you reachable, and the botnet attacks are directly targeting this accessibility.
Until IoT devices and other vulnerabilities that plague the Internet are remedied, it is best to find options for a DNS firewall, DNS security solutions, advanced malware protection and other cloud security solutions.

Ransomware nets $1 Million from Korean Web Provider

We knew that WannaCry wasn’t going to remain the biggest ransomware news for long, but we certainly didn’t expect the next big thing to strike so soon either. Earlier this week, a ransomware gang managed to collect the biggest known ransomware payout in history, a cool $1 Million USD.

The WannaCry operation, which affected over 200,000 computers in 150 countries, only managed a total of $142,479 worth of bitcoin as of June 24. Not bad, but certainly not as lucrative as $1 000,000.00.

Aside from the type of ransomware used, the major difference between these two record-setting ransomware incidents is the scope of the attacks. WannaCry was designed to be more of a “spray and pray” type of attack and hence had a larger scope. This new attack, on the other hand, was a targeted attack aimed at only one company.

This particular victim was actually a South Korean web provider named Nayana. The attack, which held 153 Linux servers captive, affected more than 3,400 websites hosted by Nayana. Given the stakes – loss of customer data, business opportunity, revenue, and trust, as well as potential legal actions – Nayana felt it had no choice but to pay up.

This record-setting ransom payment will certainly have serious repercussions. Cybercriminals will now be more inspired than ever to launch their own ransomware attacks. The only way to discourage future attacks is by not paying the ransom. Sadly, that’s easier said than done. It’s easy to preach until you become a victim and it’s your business on the line.

We’re sure to see a whole new wave of ransomware soon. Until then, make sure that your backup and disaster recovery plans are up to par and look to enhance the security of your network.

Are Vigilante Worms the Solution to IoT Botnets?

Mirai, the IoT botnet responsible for record-breaking DDoS attacks last year, has taken a hit. Thanks in part to what appear to be ‘vigilante worms’, which are either taking over or taking down the IoT devices that make up Mirai’s massive network. While these worms might have been effective in disrupting Mirai’s operations, are vigilante worms really the solution to the IoT botnet epidemic?

So far, cyber security researchers have identified two worms that appear to be the handiwork of vigilantes: Hajime and Brickerbot. The former seems to be taking over IoT devices targeted by Mirai, while the latter goes a step farther, rendering the devices unusable.

There’s no doubt Mirai and its ilk are serious threats to business. They already crippled several high-traffic websites and cloud-based services like Amazon, CNN, Netflix, Twitter, and The New York Times in a single DDoS event which rendered them unavailable to a large part of the United States and Europe.

There’s also no question that most IoT devices are widely vulnerable to hacking. When you combine the severity of the IoT botnet threat with the vulnerability and proliferation of IoT devices, it’s easy to see how serious the risk is. While something must be done to mitigate this risk, should that include acts of vigilantism?

Before tackling this question, it is important to know what we’re dealing with.

 

Characteristics of the Hajime worm

Like Mirai, Hajime is a worm, meaning it’s capable of infecting a device and then spreading to other devices in the network without any human intervention. Like Mirai, Hajime also targets IoT devices. It penetrates them by scanning open Telnet ports and then breaking in using default factory passwords.

Hajime has a couple of other features that’s supposed to make it more effective than Mirai. For example, instead of using a centralized C&C (Command-and-Control) server for sending commands to its bots, Hajime uses a P2P (peer-to-peer) architecture. In this architecture, the bots themselves also serve as C&Cs.

To take down a botnet, you need to chop off its head by severing the C&C channel. Thus, Hajime’s network is more resilient than Mirai’s because it consists of multiple C&Cs (i.e., multiple heads to chop off) while the latter may only have one or two of them.

The Hajime botnet is constantly evolving, with the authors adding new features to make it even more stealthy and resilient as well as more effective at breaking into IoT devices.

Malware researchers believe it now has three attack methods. The first method can exploit an Arris cable modem’s password-of-the-day, a relatively old remote backdoor that’s been used since 2009. The second is the Telnet default password attack, which is just like the one employed by Mirai. And the third is the TR-069 exploit, a relatively new attack that exploits the TR-069 standard which ISPs use to manage modems remotely.

Once it’s able to break into a device, Hajime tries to conceal its activities by hiding its running processes and accompanying files. It also enables attackers to open a remote shell over which they can issue commands.

With all these advanced features, you’d think Hajime would be all set to claim Mirai’s turf. It could, but strangely, the authors of Hajime don’t seem interested in doing that. Unlike Mirai, Hajime’s not equipped with DDoS (Distributed Denial-of-Service) capabilities. In fact, in its current form, it doesn’t seem to have any capabilities for attacking other systems (except of course the IoT devices it ensnares).

Instead, it simply seems to be preventing Mirai from carrying out its plans. Hajime does so by blocking ports 23, 7547, 5555, and 5358 – the very same ports normally exploited by Mirai. While those ports are blocked, Mirai is unable to break into the device.

According to researchers, Hajime displays a cryptographically signed message on the terminals (if there are any) of ensnared devices. The message goes states: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”

Hajime does have a few weaknesses though. Like Mirai, Hajime only gets loaded in the device’s RAM. Thus, it lacks a persistence mechanism that would allow it to stay in the device indefinitely. As soon as the device is rebooted, it would automatically be free from the Hajime infection and those blocked ports would be open (and vulnerable to either a Mirai or Hajime infection) once again.

Hajime’s not the only computer worm out to spoil Mirai’s party. There’s one more, and it’s called Brickerbot.

 

Brickerbot characteristics

Like Hajime, Brickerbot is another vigilante worm that breaks into IoT devices by exploiting default passwords. Unlike Hajime however, which only blocks ports targeted by Mirai upon infection, Brickerbot takes a more radical approach; it bricks every IoT device it infects.

More specifically, Brickerbot wipes the device clean and disconnects it from the Internet. As soon as you reboot the device or do a factory reset, you’ll realize it’s already been bricked. Naturally, a bricked IoT device can no longer be infected. It’s a rather cruel way of countering the Mirai epidemic and the author of Brickerbot knows it, calling his/her approach a form of “Internet Chemotherapy”.

Chemotherapy, which is commonly used for treating cancer patients, destroys not only cancer cells, but also good cells. Janit0r, (the name used by Brickerbot’s author) thinks the ubiquity of vulnerable IoT devices and the risk they pose (i.e. massive DDoS attacks) is a critical issue that “couldn’t be solved quickly enough by conventional means.” and therefore requires a radical treatment.

 

It takes a worm to stop a worm?

A computer worm like Mirai spreads from one device to another on its own. It doesn’t require a human being to install, download, or copy it. For this reason, a large number of devices can be infected by Mirai in a short period of time. And if you’re talking about IoT devices, that number can easily reach millions.

With such a high infection rate, any undertaking for stopping this malware that relies on manual methods will surely prove futile. That’s why the authors of Hajime and Brickerbot are taking this path. They obviously think, in order to stop a worm, you need a solution with worm-link capabilities.

 

Understanding the risks of relying on vigilante worms

First of all, we must remember that these worms are developed by human beings. People are fickle. What starts with noble intentions may develop into something else.

Because Hajime and Brickerbot already have the ability to break into IoT devices, propagate, and lock down its victims, just a small update would be needed for them carry out more sinister acts if their authors eventually decide to turn to the dark side.

These newly weaponized botnets could then be used to launch DDoS attacks or infect and brick IoT-enabled critical devices such as medical equipment. Many of the infected devices are cameras which could lead to espionage or voyeurism.

Even if these worms’ developers maintain their do-good profile, several threat actors could take interest in these projects. If malicious individuals are able to hijack these worms, they could then be weaponized.

Let’s also not forget the fact that, certain vigilante worms – like Brickerbot – have the tendency to inflict disproportionate punishment or unwarranted collateral damage. These worms are supposed to punish IoT device manufacturers for failing to build secure devices, but these worms are in fact destroying other people’s property. Two wrongs still don’t make a right.

Nevertheless, the emergence of Mirai, Hajime and Brickerbot should serve as a wake up call to the manufacturers of IoT devices. The vulnerabilities on these devices pose a serious threat not only to the potential victims of DDoS attacks, but also to the owners of these devices who may be collateral damage to acts of cyber vigilantism.

These 6 DNS Attacks Threaten Your Business

Most Internet-based tasks are dependent on DNS: web browsing, email, file transfers, social media posts, instant messaging, and a variety of communications and data exchange processes. It follows then, if you take down a DNS service, other networking services may also be rendered unusable.

Because these services are vital to modern-day business operations, any threat that may cause an extended disruption to these services must be considered critical. The biggest threats to the availability of DNS (and in turn, network services) are denial-of-service attacks. In this post, we talk about the different types of DNS DoS attacks and discuss the mechanisms behind each type of attack

 

Fundamentals of a DNS DoS attack

The concept of a DNS Denial of Service (DoS) attack is pretty simple. A concentrated attack from tens, hundreds, thousands, or even millions of machines is directed to a DNS server (or group of servers) with the intention of preventing it from providing DNS services to clients or resolvers. It’s like getting blocked from your phone’s contact list. If you can’t access your address book, you likely won’t be able to call your friends, relatives, etc.

When clients and resolvers are denied access to DNS, users and machines (in the case of B2B transactions) will be unable to carry out tasks that are dependent on DNS. There are different ways of taking down or disrupting a DNS service, here are some of the most common.

 

1. DNS Flood

One of the most common types of DNS DoS attacks is the DNS Flood. This attack is carried out over the UDP (User Datagram Protocol) protocol, the primary protocol (the other being TCP) over which DNS messages are transmitted.

A DNS flood attack is performed by sending out a large number of DNS requests to UDP port 53. The goal of the attack is to overwhelm the target DNS server with requests (mostly consisting of malformed or bogus packet information) and prevent legitimate requests from coming through.

 

2. TCP SYN Flood

Although most DNS messages are transmitted through UDP, a substantial volume of messages are also transmitted through TCP (Transmission Control Protocol). DNS responses that exceed 512 bytes in size or transmissions involved in zone transfers all use TCP. For this reason, DNS servers can be vulnerable to TCP SYN Flood attacks, a type of DoS attack that exploits the TCP three-way handshake.

In a nutshell, the TCP three-way handshake works like this:

  1. Client requests a connection to a server by sending a SYN message to the latter
  2. Server responds with a SYN-ACK message as acknowledgement
  3. Client responds with an ACK message as its own acknowledgement, and a connection is established

An attacker who exploits this handshake typically sends a SYN request to the victim, which in our case would be a DNS server, but the victim doesn’t receive any ACK after it responds with a SYN-ACK.

The attacker does this by either not sending back the expected ACK or by using a spoofed source IP address. When a spoofed IP address is used, the DNS server will end up sending its SYN-ACK to the owner of the spoofed IP, who won’t respond because it never sent a SYN request in the first place.

The victim then waits for the response in case the ACK was simply delayed due to poor network conditions. In the meantime, it’s forced to allocate resources for the half-open connection.

In a DNS TCP SYN Flood DoS attack, an attacker directs a large number of these bogus SYN requests to a DNS server. While the victim waits for ACK responses which will never arrive, it continues to allocate resources for the partial connections. Eventually, the server runs out of resources to allocate and additional SYN requests, including those from legitimate clients, are denied.

 

3. NXDOMAIN Flood

When a client or DNS resolver sends out a domain resolution request to a DNS server and the server is unable to resolve that domain into an IP address, the server responds with what is known as an NXDOMAIN response message. This response is sent when the server believes the domain doesn’t exist.

In an NXDOMAIN Flood, an attacker floods a DNS server with queries for non-existent domain names. As a result, the server wastes computing resources trying to resolve domains that don’t exist. At the same time, the server’s cache accumulates NXDOMAIN results, pushing out valid cache entries in the process. When this happens, the server’s processes slow to a crawl and/or will be unable to accept additional requests, legitimate or not.

 

4. DNS Reflection

In a DNS reflection attack, the attacker sends out DNS requests to one or more DNS servers. These DNS servers aren’t the main targets of the attack, but are used as conduits for conducting the attack.

The underlying trick in this attack lies in the attacker’s DNS requests, which are actually spoofed requests. More specifically, the “from” or return IP address in the requests are spoofed. When the DNS servers receive the requests, they send their responses to the spoofed IP address.

 

Because the spoofed recipient was not expecting those DNS responses, as it never sent the requests in the first place, it uses resources trying to make sense of those responses. A few of these responses will not affect the target DNS server. However, once those responses number in the thousands, it can eventually overwhelm the target DNS server.

There is also a variation of this attack that makes it easier for attackers to overwhelm the target DNS server. It’s known as the DNS Reflection Amplification DoS Attack.

 

5. DNS Reflection Amplification DoS

In the DNS Reflection Amplification DoS attack, attackers exploit a DNS characteristic wherein the response is usually larger than the request or query. In fact, there are some DNS responses (like those using ANY or DNSSEC record types) that are many times larger than the original request.

The ANY request, for instance, requests ALL information pertinent to a domain. This may include MX records, A records, and several others – practically all cached records. So, the response can be much larger or “amplified”.

 

In addition to using queries that result in large responses, attackers can also exploit open resolvers in order to amplify the attack even further. Basically, the attackers send the requests via open resolvers, which in turn store the spoofed return addresses in their respective caches.

Once the spoofed return addresses are already cached in a large number of open resolvers, those cache-poisoned resolvers can then be used to launch a massive DDoS attack against the target DNS server.

 

6. Botnet DDoS

Today’s attacks on DNS systems have gotten more disruptive. What used to be simple DoS (denial-of-service) attacks have now evolved into much larger DDoS (Distributed Denial-of-Service) attacks. These attacks are typically launched from botnets, (a network of compromised computers that receive commands from attackers.

Instead of a single machine (or a handful of machines) sending out malicious/bogus packets to a DNS system, a DDoS attack may now involve thousands of machines.

Cyber criminals have also devised methods to ensnare IoT (Internet of Things) devices and build massive botnets out of them. Due to the considerably large number of insecure IoT devices already in use, DDoS botnets can potentially consist of hundreds of thousands or even millions of compromised devices.

As a consequence, DDoS attacks are now much more disruptive than ever before. The IoT botnet DDoS attack on DNS provider Dyn last year, which had an estimated throughput of 1.2 Tbps and was said to be twice the size of the previous largest DDoS attack on record, managed to block users from practically the entire US East Coast and many parts of Europe.

Unless IoT manufacturers start taking security seriously and address the vulnerabilities that plague IoT devices, the threat of massive DDoS attacks on DNS systems will remain.

 

Next steps

The availability of your business is now closely tied with the availability of your network, which is in turn highly dependent on the availability of DNS services. In order to prevent major disruptions to your business due to DNS denial-of-service attacks, your DNS must be an integral part of your defence strategy. Learn how.

Why You Should be Concerned With DNS Security

DNS servers are vital to almost every process that takes place on the Internet. They allow us to browse the web, transact on an e-commerce site, chat via instant messaging, send out file transfers, communicate through email, etc. So when these DNS servers are compromised or somehow fail, the services that rely on them can be adversely affected. 

That’s exactly what happened last October when a DNS provider serving popular websites like Twitter, Amazon, AirBnB, CNN, Comcast, Spotify, Tumblr, Wired, and many others, got hit by a massive DDoS attack. From the point of view of the end users, those sites appeared to be down. While their servers were technically available, they weren’t reachable. That’s because the DNS system users relied on to get to those sites were out of commission.

Why DNS is crucial to Internet connectivity

The main function of the Domain Name System (DNS) is pretty simple; it’s designed to associate certain information to domain names. DNS is responsible for resolving IP addresses to hostname/domain names and back.

This is necessary because the servers that host sites like xdomain.com or ftp.somedomain.edu are actually identified by client machines through IP addresses like 62.115.13.128 or 210.213.130.182 and not through the domain names xdomain.com or ftp.somedomain.edu per se. The client machines – i.e., desktops, laptops, tablets, smartphones, or other servers – need to know what those IP addresses are before they can establish a connection.

When a user types something like xdomain.com into a browser, that request will first have to go through a DNS server. The DNS server (or more specifically, a chain of DNS servers) will then take that domain name, resolve it into the IP address that matches the domain name and then provide that information to the requesting client. Only then can the client connect to the xdomain.com server. 1

Without the DNS system, there’s no way the user will be able to connect without knowing the corresponding IP address for xdomain’s server.
 

Threats to DNS

Generally speaking, threats to DNS systems can be grouped into three:

●Threats against the integrity of data in a DNS system

●Threats against the confidentiality of data in a DNS system

●Threats against the availability of a DNS system

Threats to DNS integrity

Threats to data integrity in a DNS system pertain to threats that may result in intentional or accidental modification of data in a DNS system. There are certain pieces of data used in DNS which, if tampered with, can lead to serious consequences.

For example, if the Resource Records (RR) that are stored in zone files, memory or cache, are tampered with or if the responses to legitimate queries are tainted with bogus information, users can be redirected to other (potentially malicious) sites.

The most common type of attack aimed at damaging the integrity of a DNS system is cache poisoning. The objective of this attack is to force a DNS server to cache bogus information; usually a domain name mapped to the wrong IP address. As a result, when a client submits a legitimate query to the DNS system, the system will then reply with the wrong information.2

Once a cyber attacker succeeds in redirecting traffic to a malicious site (presumably also controlled by the attacker), bad things can happen. These sites are often meticulously crafted to resemble the legitimate site so that redirected users can be deceived into entering sensitive information like passwords, credit card data, and personally identifiable information (PII).

 

Threats to DNS availability

These are the types of threats that render DNS servers inaccessible. When that happens, DNS queries may go unanswered. As a result, clients will be unable to reach the sites they’ve been meaning to connect to. DNS outages can be caused by unintentional server failures or deliberate DoS/DDoS attacks.

3

Recent events have shown that this type of threat has the potential to inflict the most damage among the three. This is primarily because of the way a large portion of the Internet now operates, wherein a multitude of sites rely heavily on a few service providers. When a major DNS service provider bogs down, availability issues can easily affect a large number of sites or customers spanning a vast geographical area, just like what happened in the

Some of the common types of attacks that target DNS availability include the following:

●DNS amplification

●Distributed Reflection DoS (DrDoS)

●NXDOMAIN flood

●Phantom domain

●Slow drip

●TCP SYN flood

●IoT botnet DDoS

An IoT botnet DDoS attack was responsible for the Dyn outage. That attack, which was the largest DDoS attack on record, was noteworthy in that it was launched from an army of compromised IoT devices. This is a serious threat because, if it could bring down an infrastructure as robust as Dyn (even just for a few hours), it could easily overwhelm the infrastructures of much smaller DNS providers.
 

Threats to DNS confidentiality

Threats to the confidentiality of data in DNS systems are not as glaring as the other two, but shouldn’t be taken lightly. If, for example, RRs for internal hosts are stored in external name servers and those servers are compromised, the information obtained can provide attackers insights about the internal network. This information can then be used to support and inform subsequent stages of an attack.

One of the tasks many security consultants perform in the early stages of a penetration testing engagement is DNS reconnaissance. DNS reconnaissance can reveal a lot about an organization’s DNS servers, their RRs and, in turn, the organization’s network infrastructure.

Some of the techniques employed in DNS reconnaissance include:

●DNS server cache snooping

●Domain brute force

●Reverse lookup

●Zone transfer

●Zone walking

 

Impact to business

The impact of a DNS attack on businesses can vary greatly depending on the threat. If it’s an attack on the confidentiality of DNS data, the impact could be minimal.

However, if that incident was actually just reconnaissance that eventually led to a deeper penetration of the network, or a data breach, the impact could be huge. If the data breach involved personal information, the business could face legal action or hefty.

If it’s the integrity of DNS data that’s compromised and client machines are redirected to malicious sites, this can impact:

1.The owners of the client machines. Once these machines are redirected to malicious sites, the owners of these machines could suffer financial losses or loss of confidential information (e.g. credit card data or PII).

2.The owners of the spoofed sites. The moment word of the fraudulent transactions gets out (and spreads through social media), the businesses who own those sites could suffer irreparable brand damage. They could also suffer financial losses as they try to remediate the problem or defend themselves against lawsuits.

If it’s the availability of DNS services that’s compromised, the biggest consequences are likely to be in terms of opportunity and trust. If you have an online business (e.g. an e-commerce, or online banking site) and your DNS provider suffers a lengthy outage (say, several hours), the loss in terms of sales could be massive.

To learn more about using DNS security to protect your data and your reputation, contact us

Cloudbleed: Rethinking The Current State of Internet Security

The Cloudflare incident that derailed weekend plans for many cyber security professionals is turning out to be a huge eye opener. The culprit, a bug now known as Cloudbleed, resulted in a serious data leak which affected an abundance of websites. As the dust began to settle, it became clear that the implications were far more severe than anticipated. The Internet has undergone considerable changes, and security issues must now be handled differently.

 

An overview of Cloudflare

In order to understand the extent of Cloudbleed, it is crucial to become familiar with the role of Cloudflare in today’s Internet. While most people might not know what Cloudflare is, there is a good chance that these same individuals actually interact with a Cloudflare service multiple times a day. Take, for instance, the following example:

oneStep

The above image is that of a Cloudflare feature in action. It serves the purpose of protecting the site that a given individual is about to visit, keeping it safe from spammers and bots by making sure the person is, in fact, human. Cloudflare is a content delivery network that also provides DDoS protection, web application firewalls, DNS (domain name server), and reverse proxy services. This network serves millions of websites, acting as a layer between those sites and their visitors.

orange

That has some advantages and disadvantages. One disadvantage is that if something goes wrong at that layer, a lot of websites are going to be affected.

 

Cloudbleed in a nutshell

Cloudbleed was a bug in the Cloudflare infrastructure that resulted in a data leak involving passwords, keys, cookies, POST data, and HTTPS requests; the whole nine yards. Some of this data, which came from Cloudflare customer websites, included PII (personally identifiable information), private messages, and other confidential information. Although data would only leak out if certain conditions were met, the sheer size of Coudflare’s customer base made the incident a major issue.

To make matters worse, some of the information that leaked was caught by search engine crawlers and cached into memory. This means that, even after the bug was identified and fixed, one critical, and rather tricky, task still remained.

Cloudflare had to work with Google and other search engine providers to make sure leaked data was completely scrubbed from search engine caches. Otherwise, the data would run the risk of being targeted by shady (or simply curious) characters as soon as details of the security incident broke out.

Technically speaking, the bug only affected three features:

  1. Email Obfuscation – a feature that prevents bots from harvesting email addresses (which attackers use in their spamming campaigns) from web pages;
  2. Server-Side Excludes – a feature that hides sensitive content on your site from suspicious visitors; and
  3. Automatic HTTPS Rewrites – a feature that rewrites HTTP links to HTTPS.

In addition, the bug was only triggered if (in addition to any of those features being enabled) the HTML page that was served was malformed, i.e. the page had to end with an unterminated attribute.

However, because much of Cloudflare’s infrastructure is basically shared by its large customer base, a lot of websites were still affected by the bug – even if those sites did not have any of those three features enabled. Some of the popular websites known to have been impacted included Uber, Fitbit, and OkCupid. A much longer list of potentially affected sites can be found on Github.

In order to perform their specific functions, all three features – email obfuscation, server-side excludes, and automatic HTTPS rewrites – have to parse and modify HTML pages as the pages pass through Cloudflare’s edge servers and are subsequently served to clients. To do this, the three features rely on what is known as an HTML parser. It was this HTML parser that contained the bug, which in turn caused random memory leaks.

Cloudflare’s detailed explanation can be found here for those wanting to dive into more technical information.

 

Discovery and Remediation

The data leak was accidentally discovered by Tavis Ormandy, a security analyst at Google’s Project Zero.

“On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn’t match what I had been expecting”, Tavis posted in a bug report. He added that “…It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data.”

When he and other members of the team managed to fetch some live samples, they were able to obtain data that should not have been out in the open – encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests. As soon as they were able to pinpoint Cloudflare as the source of the leaked data, they immediately tried to establish contact with Cloudflare’s security team. Tavis decided to reach out through twitter.

Fortunately, some members of the Cloudflare security team were active on social media and word of the tweet reached them. This led to a series of exchanges and some collaborative work. The bug was found and a patch was deployed in less than a day. As soon as the bug’s location was identified (but before a patch was released), Cloudflare initiated what they called a “global kill” switch that disabled the features in question throughout their global network.

However, it did take more time to work with the search engine engineers in purging leaked data that was already cached. After further investigation, it was later discovered that the bug may have been leaking data for months. The leak is estimated to have stretched from late September 2016 to February 2017.

That estimated period over which data leaked is quite alarming, considering that search engines aren’t the only entities who mobilize crawlers across the Web. Ideally, leaked data cached in those systems would be purged as well.

To be on the safe side, all Cloudflare customers must assume that their sites might have leaked some amount of data and take appropriate measures. Some of the countermeasures include resetting passwords, forcing re-authentication, invalidating session cookies, rolling internal authorization tokens, adapting two-factor authentication, and educating users of potential risks.

 

Cloudbleed and the Current State of the Internet

Cloudbleed (and the recent Amazon outage) indicates a couple of things. First, that the Internet, as many of us know it, is now heavily dependent on just a handful of organizations. The downside is that, when something goes wrong with the infrastructure of those few organizations, a massive fraction of the Internet – and everyone using it – suffers.

Indeed, if services from the top providers like Amazon and Cloudflare go offline or acquire some form of vulnerability, a lot of businesses will be affected. There is, however, an upside to this. Because things are provided as-a-service by a single provider, a fix can be made in a central location and then rapidly propagated across all nodes.

In the case of Cloudbleed, a simple activation of a kill switch at Cloudflare switched off all affected features, thereby plugging the holes throughout its entire global infrastructure in a matter of seconds. As soon as the bug was fixed, that fix was then propagated throughout the infrastructure, almost instantly.

The rise of ubiquitous cloud service providers has altered the Internet landscape in a big way. In order to mitigate the risks that accompany this new landscape, on can take the lessons learned from Cloudbleed into consideration when developing new security strategies.

Phishing and its Impact on Businesses and Employees

Despite the many tools in place to prevent them, phishing attacks continue to be a menace to employees and businesses. In Q3 of 2016, the Anti-Phishing Working Group detected at least 340 hijacked brands per month. In the last month of that same period, they also found 104,973 unique phishing sites. In order to understand the implications of these statistics, one needs to gain a better understanding of phishing attacks, the motivations behind them, why they succeed, and their impact to business.

In a nutshell, a phishing attack is a fraudulent message, usually in the form of an email, which lures users into clicking a link. That link in turn either leads the victim to a malicious website or initiates a malicious download.

 

Anatomy of a Phishing Attack

Phishing email is a form of spam email; it’s an undesirable message sent in bulk to a large number of recipients. While traditional spam emails are mostly part of advertising campaigns, phishing emails are more sinister. The main goal of a phishing email is usually to obtain confidential information from the email’s recipient.

In essence, the following is what takes place during a phishing attack:

  1. First, the phishing email is sent to a large collection of email addresses. These days, the mass mailings are launched from zombie computers or devices that belong to botnets.
  2. If the phishing email was well crafted, the victim would be compelled to either click on a link found in the email body, or download an attachment.
  3. If the victim clicks on the link, he or she will likely be redirected to a landing page closely resembling a legitimate webpage of a popular and trusted company. Most of the organizations impersonated are banks, credit card companies, online payment service providers (e.g. PayPal), and even social networking sites. The use of a reputable brand name increases the probability of the victim performing the desired action (e.g. fill out a form or download a file).
  4. If the victim downloads an email attachment, he or she will likely end up installing a trojan that might contain a key logger, botnet client, ransomware, or just about any other type of malware.

phishing

Why Cyber Criminals Phish

The goal of most phishing attacks is to acquire what is known as personally identifiable information, or PII. This information includes data that, either individually or combined with other relevant data, can be used to identify an individual. Examples of this kind of data would include social security numbers, bank account numbers, credit card numbers, medical records, educational records, mailing addresses, biometric records, and so on.

Stolen PII is often sold in shady online marketplaces, where they will then be purchased by identity thieves. These cybercriminals then use the information to carry out credit card or banking fraud and other fraudulent transactions. The cost of a single piece of stolen personal information can range from a few dollars to thousands of dollars, depending on the specific information that has been obtained. For example, a random credit card number can cost $5; a medical record, $50; and a bank account credential, $1,000.

Looking at the total value of PII belonging to thousands of individuals makes it is easy to understand why phishing can be so lucrative.

 

How Phishing Attacks Succeed

Phishing relies on the time-tested art of deception. These days, cyber security experts and cyber criminals have dubbed these deceptive acts “social engineering.” Social engineering plays on people’s emotions, curiosity, fear, or plain gullibility.

A simplified example of what one might read in a phishing email would be as follows:

Congratulations! You just won in the 2017 Online Lottery. Please claim your prize by clicking the link below.”

Most people get excited when they are told they won something – even if they never bought a ticket for any “2017 Online Lottery” in the first place.

Some phishing emails play on fear and take advantage of recent events, for example, a massive data breach. The following is what one might receive in the wake of a PayPal data breach:

 

“Dear [insert your name here]

 

Earlier today, PayPal’s databases were hacked and several user accounts were compromised. We regret to inform you that your account was one of them. While no funds have been stolen yet, we can confirm that the hackers were able to acquire your login credentials. To prevent any financial loss, you need to reset your password immediately. Click the link below and follow the instructions to carry out the reset.”

 

The message above can be quite alarming and can spur a sense of urgency. For this reason, some recipients of this email would no longer stop to think and just do as instructed.

These deceptive messages are made more believable with the advent of HTML-based emails. Unlike plain text emails, HTML-based emails can be spruced up with graphics and formatted text. Hence, it’s easier to make them resemble official communications from a trusted or reputable source – like a bank or, in the example above, Paypal.

When people are faced with a well-written and professionally formatted email bearing a trusted logo, most of them won’t bother to verify its authenticity.

 

Increasing Email Open Rates and Clicks Through Spear Phishing

Traditionally, phishing emails followed a spray and pray tactic. Attackers typically sent out large volumes of emails without any regard as to who would end up receiving them. For example, of the thousands who would receive the “Paypal” email, only a few may actually own a PayPal account. As a result, the majority of those who would receive the email would mark it as spam.

To increase the efficiency of their attacks, phishers started resorting to more sophisticated techniques. One of these techniques is known as spear phishing. This is a more targeted phishing attack aimed at a specific individual or group of people.

Spear phishing emails contain elements closely associated with the target. For example, a spear phishing email may mention and may appear to originate from the target’s boss, their organization’s network administrator, or HR manager. In addition, it may follow the company’s standard email format and include the corporate letterhead.

Because spear phishing emails are so customized, their open rates and click-through rates are quite high. The people who conduct spear phishing attacks usually have even more sinister intentions in mind than just stealing PII.

Many of these attackers are often after high value targets buried deep inside the organization. Hence, the main purpose of the phishing attack might be to acquire administrative credentials for privilege escalation or to infiltrate the network in preparation for an APT (advanced persistent threat) campaign.

Spear phishing emails are typically laced with malicious attachments that often take the form of corporate files like PowerPoint presentations, reports, spreadsheets, resumes, and business documents. While these files appear as common file formats like .PDFs, .PPTs, .DOCXs, and .XLSs, they are actually executable (.EXE) files containing trojans that may even connect to remote command-and-control (C&C) servers.

 

Business Impact

Although phishing attacks are primarily aimed at individuals (more specifically, their PII), they can have other unintended, but nevertheless unavoidable casualties as well.

When phishers launch an attack, they usually need to hijack a legitimate brand. As discussed earlier, attackers typically set up a malicious landing page that closely resembles the web page of a trusted brand. This makes it easier to convince victims into responding to a call-to-action, such as filling out a form or downloading something.

These brands become casualties once the phishing campaign is discovered and later disclosed in news outlets or social media. This type of publicity can hurt the brand’s image, leaving the impression that its web pages are unsafe. Some customers might end up avoiding the brand’s legitimate websites for fear of accidentally landing on a fake web page.

In most cases, the people who do land on a hijacked brand’s website are likely customers of that organization. These people can lose confidence in the brand and may ultimately drop it for a competitor. Worse, if they actually become victims (i.e. their personal data get stolen), they might even file a lawsuit, or, if the data is covered by data protection regulations, the company can be levied fines for noncompliance.

 

How to Defend a Business against Phishing Attacks

There are a couple of ways to thwart phishing attacks, the first of which being user education. This method of avoidance is primarily designed to counter the social engineering aspect of the attack. Because users are the recipients of phishing emails, your employees must be trained to determine when an email can be considered suspicious.

 

Some indicators include:

  • Requests for personal information
  • Deceptive domain names (e.g. paypal.somebank.com is certainly not a legitimate PayPal domain)
  • Generic salutations (e.g. Dear Sir instead of Dear [your name])
  • URLs that don’t match what is being displayed on the link (You can verify this by hovering your mouse on the link and inspecting the link that appears on your browser’s bar)
  • Emails with executable file attachments (the common file types include exe, com, jar, msi, bat, and scr, but there are many others)
  • Any email attachment that wasn’t expected (you can always verify with the sender)
  • Messages that elicit heightened emotions, whether of happiness, fear, pity, etc.
  • A sender who’s not familiar to you

 

Although user education is an important component in countering phishing attacks, it is by no means ironclad. Employees can forget or even disregard warning signs; hence, one will need to augment user education with something immune to human shortcomings.

Learn how our DNS Security Solutions can help detect and block fraudulent links, phishing campaigns, rogue antivirus downloads, and forced redirection to malicious domains.

*APWG Phishing Activity Trends Report  – 3rd Quarter 2016

What is an exploit kit?

Attackers who want to infect systems with malware usually need a vehicle to reach as many infections as possible. These days, that vehicle is most often an exploit kit. In this post, we take a closer look at exploit kits, where they fit in the cybercrime industry, what’s inside a typical toolkit, and most importantly, how they work.

 

A peek into the exploit kit industry

Before we talk about what an exploit kit (EK) is and how it works, let’s first discuss the financial incentive for developing these kits. What drives people to create exploit kits?

Contrary to what most people think, not everyone who commits cyber crime has the technical skills to “hack into a system”. There are those who carry out cyber attacks by simply relying on ready-made tools they purchased in black hat marketplaces on the dark web.

Let’s say that Joe reads this article and learns that ransomware campaigns can be quite lucrative. Being morally flexible, Joe decides to launch a ransomware campaign. Joe then realizes that ransom malware by itself is not enough. He still needs to deliver the malware onto a victim’s system. One way to do that is by taking advantage of certain vulnerabilities in the system. Luckily, people have already written programs for doing just that.

These tiny programs or pieces of code are called ‘exploits’ and can be purchased through black hat hacking forums. The prices of these exploits vary, with zero-day exploits generally priced higher. So if an attacker like Joe gets a hold of an exploit, is he good to go? Not quite yet.

One exploit typically can only target one vulnerability. It’s hard to predict what vulnerabilities are present in a system. So if Joe only targets one vulnerability, chances are he would only be able to compromise a few systems, while ignoring other systems that have other vulnerabilities. If Joe wants to infect those systems too, he needs to acquire exploits for those vulnerabilities as well.

It gets even more complicated because different exploits might be written by different authors. That means, he would have to communicate with several parties. It would be so much easier if he could only deal with one vendor. That’s where exploits kits come in.

An exploit toolkit or kit is a tool, usually written in PHP, that already comes with a collection of exploits. The people who develop exploit kits purchase exploits from exploit authors and package them into one tool. They (the exploit kit developers) then sell their kits to people like Joe.

exploit_kit_supply_chain

Some exploit kit licenses have validity periods. Once the license subscription expires, you would need to purchase a new subscription to continue using it. Other exploit kits are offered as a subscription service. The rates typically range from a few hundred dollars per month to a couple thousand dollars per month. This typically includes tech support and updates or patches. For example, there may be patches that introduce new evasion techniques, new exploits, or support for certain malware.

Some of the most notorious exploit kits in recent history include:

  • Angler
  • Rig
  • Neutrino
  • Blackhole
  • Sweet Orange
  • Nuclear
  • Magnitude

 

Inside an exploit toolkit

When an attacker purchases an exploit kit, he’ll be provided with a management console. Here he’ll see various information and statistics pertinent to his exploit campaign. This is to help him monitor how the overall campaign and the individual exploits are performing.

In addition to the number of times each exploit type was delivered, the attacker will also see where those exploits actually landed. Mostly, he’ll see the countries that were targeted. Cyber attackers normally want to target specific countries (US is the usual favorite), so they want to verify whether the campaign was actually successful in that geographical region. Toolkits can focus on specific areas through geolocation based on the victim’s IP address.

Another key piece of information is the victim’s Operating System and web browser. Certain malware only works on certain operating systems (e.g. Windows), so it’s important for the payloads to be dropped in those systems.

Here’s a screen grab from a Youtube video showing Black Hole EK’s management console:

screengrab blackholeek

Lastly, a toolkit would typically include a module for uploading or selecting the desired payload. The attacker can either pick from a selection of payloads bundled with the kit or upload his own payload. Some of the most commonly used payloads include:

  • Click-fraud bots (e.g. Bedep)
  • Ransomware (e.g. CryptXXX, TelsaCrypt)
  • Spambots (e.g. Tofsee)
  • Banking Trojans (e.g. Zeus, Panda Banker)
  • Worms (e.g. Qbot)
  • Botnets (e.g. Andromeda/Gamarue)
  • And many others

 

How exploit kits work

There are different kinds of exploit kits, but the most popular are those designed to exploit vulnerabilities in web browsers and browser plugins like Flash, Silverlight, Java, and ActiveX.

Below is a simplified diagram illustrating a web-based exploit kit. The actual set ups are often far more sophisticated than this and can also involve other processes, but this should give you an idea of the basic structure.

how_exploit_kits_work

 

1.    Victim lands on a compromised website

The first stage of an exploit kit attack begins when a victim visits a compromised website. These are usually popular, legitimate websites, including blogs, news sites, and social networking sites. Examples of high-traffic sites that have already been hijacked by exploit kit attackers in the past include: BBC, Yahoo, MSN, AOL, MySpace, Forbes, and New York Times, to mention a few.

The way attackers do this varies. Some attackers target vulnerabilities in CMS (content management system) plugins or in the CMS themselves. Others, like those that carry out domain shadowing, take advantage of weak login credentials. There are also those who perform cross-site scripting, SQL-injection, or FTP compromise. Perhaps the most popular method, though, is malvertising.

In a malvertising campaign, attackers target ad networks. This then allows them to reach a wide range of legitimate (and often high-traffic) websites without having to hack into the websites themselves.

 

2. Victim is redirected to the exploit kit’s landing page

Once the victim visits a compromised site or one that serves malvertising-infected ads, the victim’s browser will then be redirected to the exploit kit’s landing page. This redirection is carried out through an HTML iframe, 302 cushioning or some surreptitious code that the attacker previously injected into the legitimate website or malicious ad.

This article about the Stegano exploit kit offers a nice example of how a typical malvertising campaign and the use of a banner ad laced with a malicious script works.

As soon as the victim gets redirected to the landing page, the profiling process begins. Here, pertinent information regarding the victim’s browser and its plugins is collected. What the exploit kit will want to know is the kind of vulnerabilities that are present on either the web browser or the browser’s plugins. Because each browser or plugin version will have already been associated with a set of known vulnerabilities, it’s usually enough to just determine the version numbers.

 

3. Exploits are served

Once the version numbers (and consequently, the corresponding vulnerabilities) have been identified, the exploit kit will know which exploits to deliver. In most cases, the landing page is only used for profiling. The exploits and the payloads are usually hosted on a separate server. In fact, in many cases, these two (exploits and payloads) are likewise separated as well.

The first thing that gets delivered to the victim’s browser are the exploits. As you have already learned, these exploits will take advantage of the vulnerabilities that have been previously identified. If the exploit or exploits are successful, the exploit kit then delivers the final blow.

 

4. Malicious payload is delivered

At this final stage, the exploit kit drops whatever payload it was configured for. As mentioned earlier, the payload can be ransomware, a keylogger, a banking trojan, or just about any type of malware.

 

How exploit kit attacks succeed

The main reason that these kits are so effective is that the malicious payloads are usually delivered without the victim having to click or intentionally download anything. All the victim has to do is visit a compromised site, and the payload will be downloaded automatically in the background.

Known as a drive-by-download, this covert method is a staple in many exploit kits and is one of the primary reasons they succeed in delivering various forms of malware. Since the victim doesn’t notice anything alarming or suspicious, they are less likely to think anything is amiss.

Another major reason why these kits succeed is because a lot of people don’t patch their software. Patches typically include security updates that fix known vulnerabilities. So, if people don’t patch, the vulnerabilities will remain. In fact, some exploit kit exploits have been found to target vulnerabilities that have already been known for years. Until we have a better solution for handling updates or remove the incentive to launch these attacks, there will be a busy trade in exploit kits.