BlackHole arrest sending cyber-crims back to exploit drawing board: Websense

The recent arrest of alleged BlackHole exploit kit creator 'Paunch' has driven criminal groups to reconsider new approaches to generating malware and will see many reverting to “less sophisticated” delivery methods in 2014, security firm Websense has advised.

Noting that at least one criminal gang had been “experimenting” with another exploit kit, Magnitude, Websense security research director Alexander Watson said in a statement that the group had subsequently reverted to more conventional approaches such as direct email attachments.

“This shift indicates that Magnitude was not working out from a business or technology perspective by the cyber-criminal gang,” Watson explained.

This was likely to lead to many cyber-criminals “investing in other places to make up for the lost income due to less sophisticated delivery mechanisms for malware,” he continued, forecasting a rise in ransomware and “more aggressive installations of malware on compromised computers.”

The Websense observations were based on a timeline analysis of the mix of email attachment-based trends.

In the weeks after the early-October arrest of Paunch, Websense analysis noted a surge in malicious emails with the same type of redirection code that previously went to the Blackhole exploit kit, now redirecting to Magnitude. Others were redirected to 'American Express themed' phishing pages, while by mid December many of the URLs previously used to direct surfers to Blackhole instead leading to 'work from home' or 'diet' pages.

The weeks after Paunch's arrest also drove a significant shift in the nature of email sent using the massive Cutwail spambot, which saw traffic volumes decline by half between October and December.

“While this particular real-time analytic captures only a sample of the Cutwail SPAM that we block, the breakdown of SPAM email with attachments with our real-time analytics to detect exploit kids illustrates a clear trend,” the analysis reports.

Among Websense predictions for 2014 are the expectation that the world will see a return to URL-based email attacks, with exploit kits offering 'malware as a service' on a larger scale.

“The use of exploit kits is simply a more effective delivery mechanism,” the company's analysis warns, “especially with an increasingly security-aware target audience.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags websenseBlackhole

More about American Express AustraliaCSOWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by David Braue

Latest Videos

More videos

Blog Posts