Cybercriminals selling exploit-as-a-service kit

Taking a page from the cloud services playbook, cybercriminals offer exploit kits plus hosting and metered pricing

Cybercriminals are taking a page from the software-as-a-service playbook: they're now selling exploit kits complete with hosting services, with customers paying for the length of time the exploits are actively infecting computers.

The kits offer several kinds of exploits, or sequences of codes that can take advantage of software vulnerabilities in order to deliver malware. Researchers from Seculert have found that at least a couple of these kits -- Incognito 2.0 and Bomba -- offer their own Web hosting as well as a Web-based management interface.

The new business model makes it easier for cybercriminals who may have trouble securing so-called "bulletproof" hosting, or ISPs willing to host malware servers, said Aviv Raff, CTO and cofounder of Seculert. The company specializes in a cloud-based service that alerts its customers to new malware, exploits and other cyberthreats.

The whole package is intended for criminals who want large numbers of hacked computers running Microsoft Windows. Once the computers are hacked, the machines can be used to steal personal data, send spam, for conducting denial-of-service attacks or other purposes.

It's also cheaper. The criminal clients pay for only the time that their exploits are live, meaning if for any reason the ISPs shut down the rogue servers, they don't have to pay, Raff said. He estimated the malware hosting and exploit service to cost between US$100 to $200 a month.

"This is all managed by the 'service provider,'" Raff said. "You as a customer only pay for the time the exploits are hosted. We don't have the exact numbers, but like any other 'cloud-based' service, it's reasonable that the account is much more affordable than buying the kit and hosting it."

The clients must provide their own malware for the exploits to deliver. They must also hack websites in order to redirected victims to the crimeware servers hosted by Incognito's operators. When a potential victim visits one of the infected websites, an iframe is displayed that brings in content from Incognito servers that starts trying to hack the machines with various exploits.

So far, Seculert counted about 8,000 legitimate websites that have been hacked and are pulling exploits hosted by Incognito. Some victims are infected when they go to those sites through normal browsing, Raff said. But the hackers have also used spam campaigns to try to draw people to infected sites.

One of those recent spam messages noticed by Seculert purported to be a support message from Twitter, which encouraged people to click on a link that was supposedly a video from near the ailing Japanese nuclear reactors in Fukushima damaged in the tsunami earlier this month. If a person clicked on the link, no video was displayed, and a Trojan downloader was installed on the computer if it had a software vulnerability.

Incognito 2.0 provides a Web-based management interface where clients can check how many computers have been infected and what type of exploit was used, Raff said. Seculert posted screenshots on its blog.

Incognito 2.0 seems to be a growing business: Seculert's researchers found after analyzing its infrastructure that at least 30 clients were using it to install everything from the Zeus banking Trojan to fake antivirus software to generic Trojan dowloaders that can install other malware on an infected computer.

At least 150,000 machines were infected during a two-week period in January. About 70 per cent of those computers were infected using an exploit for a vulnerability for the Java runtime environment, with 20 percent infected via an Adobe Reader vulnerability.

Send news tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachSeculertExploits / vulnerabilitiesIdentity fraud / theftmalwarefraud

More about Adobe SystemsMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place