Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Mass EK-as-a-Service Campaign Compromises 30K+ Websites

A spike in infected websites spreading Angler and Cryptowall has resulted in more than 30,000 compromised domains since the beginning of this year—and the trend is likely to continue.

The team at Heimdal Security identified the campaign, in which attackers are using small websites to broaden their malicious reach.

“As long as you have an email address or share any kind of data on the web, you’re a target,” said Andra Zaharia, security specialist at Heimdal, in a blog. “If you have a website, even more so. It’s not that cyber-criminals care about the contents of your website. Not at all. What they want is to gain control over it so they can use it as a platform for distributing malware.”

The malware economy is also getting a boost from the on-demand use of exploit kits, and from automation.

“[The] exploit kits-as-a-service branch [of the malware business]…makes kits such as Angler or Nuclear highly available to anyone who has the resources to buy and use them,” Zaharia said.

Attackers have an established way of compromising websites they can later use as platforms for drive-by attacks. They either find the website’s admin account or console and hack the credentials; they can compromise the server that is used to host the website; or could use vulnerable programming scripts to inject infected code.

By using stolen or cracked credentials, cyber-criminals can log into the victim’s domain registrar, where they can set up new subdomains. This technique is called domain shadowing. By registering many subdomains and IP addresses, attackers can avoid blacklists and significantly enhance their distributions channels for the notorious Angler exploit kit.

“Website owners don’t exactly make it difficult, since they use default settings and credentials, such as ‘admin’ for both username and password,” Zaharia said. “That takes under a minute to crack.”

So, “Cyber-attackers are taking advantage of two core factors at this time: the fact that access to technology has become pervasive and the fact that cybersecurity education has a difficult time keeping up with the fast pace of technology adoption,” she added.

Photo © Carlos Amarillo

What’s Hot on Infosecurity Magazine?