Cyber crime: Exploit kits in the enterprise

Cyber crime is big business and exploit kits represent one of the most critical security challenges facing the enterprise today...

Exploit kits are particularly prevalent at the moment in the UK. They are largely responsible for the 600 per cent increase in the use of malicious web links as an attack vector, according to recent research by security vendor Websense.

The growing adoption of exploit kits within the cyber criminal fraternity is impacting upon the enterprise in terms of the probability that data will be stolen and productivity will be lost. "Combining exploit kits, custom encryption to evade AV detection with the acceleration of new attack techniques, emerging zero-day vulnerabilities and the fact that exploit kits are underground (consumer based products designed to support rapid updates), it is likely that even perfect patch management will still leave windows of exposure with some of the advantage going to cybercrime," according to Elad Sharf, lead senior security researcher at Websense.

But why, then, are exploit kits so popular? That's a simple one to answer: they make hacking easy. "It's the difference between having to understand Internet Protocol and code used to put up a website back in the early 1990's compared with pointing and clicking to post to Facebook today," Kevin O'Reilly, lead security consultant with the assurance team at Context Information Security, puts it.

"The posting of exploit kits on the Internet is like handing out grenade launchers to vandals" O'Reilly explains, adding "criminals with minimal technical skills can buy a point-and-click kit to create takeover software." This can then be uploaded to an automatically cloned copy of a legitimate website and even handle the emailing of the malicious links to targeted victims in your enterprise.

Exploit kits unplugged

An exploit kit is simply a cyber crime tool that is sold as an off-the-shelf product bundle usable without the kind of technical hacking skills required in days past. But what does this bundle actually contain? IT Pro asked Wolfgang Kandek, CTO at on-demand vulnerability management and policy compliance solution provider Qualys, for the component breakdown of a typical exploit kit:

1. Coded exploits for vulnerabilities in browsers and plug-ins.

2. A web admin console, showing results such as how many machines are infected, in what countries, using what browsers and detailing the best exploits and campaigns in terms of breach success.

3. A database to store all relevant data.  

4. The include' of files to be hosted on a web server which can then be implemented by the sites that will be used to infect their visitors.

5. The sites that will be used to infect visitors, either setup specifically for that purpose to attract traffic by convincing search engines to link to them (using Search Engine Poisoning techniques) or more commonly sites that were hacked by the attacker. A current example is the site iphonedevsdk.com which was involved in the attacks on Apple, Facebook and Twitter. It notes: "A single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site". The JavaScript inject' mentioned by iphonedevsdk is one of the include' files provided by the exploit pack.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021