BlackHole arrest sending cyber-crims back to exploit drawing board: Websense

The recent arrest of alleged BlackHole exploit kit creator 'Paunch' has driven criminal groups to reconsider new approaches to generating malware and will see many reverting to “less sophisticated” delivery methods in 2014, security firm Websense has advised.

Noting that at least one criminal gang had been “experimenting” with another exploit kit, Magnitude, Websense security research director Alexander Watson said in a statement that the group had subsequently reverted to more conventional approaches such as direct email attachments.

“This shift indicates that Magnitude was not working out from a business or technology perspective by the cyber-criminal gang,” Watson explained.

This was likely to lead to many cyber-criminals “investing in other places to make up for the lost income due to less sophisticated delivery mechanisms for malware,” he continued, forecasting a rise in ransomware and “more aggressive installations of malware on compromised computers.”

The Websense observations were based on a timeline analysis of the mix of email attachment-based trends.

In the weeks after the early-October arrest of Paunch, Websense analysis noted a surge in malicious emails with the same type of redirection code that previously went to the Blackhole exploit kit, now redirecting to Magnitude. Others were redirected to 'American Express themed' phishing pages, while by mid December many of the URLs previously used to direct surfers to Blackhole instead leading to 'work from home' or 'diet' pages.

The weeks after Paunch's arrest also drove a significant shift in the nature of email sent using the massive Cutwail spambot, which saw traffic volumes decline by half between October and December.

“While this particular real-time analytic captures only a sample of the Cutwail SPAM that we block, the breakdown of SPAM email with attachments with our real-time analytics to detect exploit kids illustrates a clear trend,” the analysis reports.

Among Websense predictions for 2014 are the expectation that the world will see a return to URL-based email attacks, with exploit kits offering 'malware as a service' on a larger scale.

“The use of exploit kits is simply a more effective delivery mechanism,” the company's analysis warns, “especially with an increasingly security-aware target audience.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Blackholewebsense

More about American Express AustraliaCSOWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place