The recent arrest of alleged BlackHole exploit kit creator 'Paunch' has driven criminal groups to reconsider new approaches to generating malware and will see many reverting to “less sophisticated” delivery methods in 2014, security firm Websense has advised.
Noting that at least one criminal gang had been “experimenting” with another exploit kit, Magnitude, Websense security research director Alexander Watson said in a statement that the group had subsequently reverted to more conventional approaches such as direct email attachments.
“This shift indicates that Magnitude was not working out from a business or technology perspective by the cyber-criminal gang,” Watson explained.
This was likely to lead to many cyber-criminals “investing in other places to make up for the lost income due to less sophisticated delivery mechanisms for malware,” he continued, forecasting a rise in ransomware and “more aggressive installations of malware on compromised computers.”
The Websense observations were based on a timeline analysis of the mix of email attachment-based trends.
In the weeks after the early-October arrest of Paunch, Websense analysis noted a surge in malicious emails with the same type of redirection code that previously went to the Blackhole exploit kit, now redirecting to Magnitude. Others were redirected to 'American Express themed' phishing pages, while by mid December many of the URLs previously used to direct surfers to Blackhole instead leading to 'work from home' or 'diet' pages.
The weeks after Paunch's arrest also drove a significant shift in the nature of email sent using the massive Cutwail spambot, which saw traffic volumes decline by half between October and December.
“While this particular real-time analytic captures only a sample of the Cutwail SPAM that we block, the breakdown of SPAM email with attachments with our real-time analytics to detect exploit kids illustrates a clear trend,” the analysis reports.
Among Websense predictions for 2014 are the expectation that the world will see a return to URL-based email attacks, with exploit kits offering 'malware as a service' on a larger scale.
“The use of exploit kits is simply a more effective delivery mechanism,” the company's analysis warns, “especially with an increasingly security-aware target audience.”