Posted on | May 15, 2013 | 1 comment
SEATTLE — AppRiver has uncovered yet more evidence that so-called drive-by downloads — infections lurking on legit websites — have become the pre-dominant way cyber criminals are infecting PCs.
The Gulf Breeze, Fla.-based messaging security firm found “RedKit” to be one of the most prevalent malicious programs circulating on websites in April.
RedKit and a similar tool, the so-called “Blackhole” exploit kit, have emerged as a cybercriminal’s indispensible Swiss Army knife. CyberTruth earlier reported on analysis from firewall vendor, Palo Alto Networks, revealing that the vast majority of malware seeping into company networks arrives via drive-by download.
So now, we’ve asked AppRiver senior analyst Fred Touchette to drill down on how exploit kits, like RedKit and Blackhole, are helping cybercriminals circulate nasty infections all over the Internet.
LW: What makes exploit kits so worrisome?
Touchette: An exploit kit is essentially a software package that makes the exploitation of vulnerable websites simple for cyber criminals. They’re easy to configure, and automated. You just click a button. The user needs very little technical knowledge. And if he requires some help, some toolkit authors even offer a one-year support license included in the price of the kit.
LW: What’s distinctive about kits such as Blackhole and RedKit?
Touchette: The prevalence of these kits is what sets them apart from other threats. The kits remain effective over and over again. The ease of their use in addition to their effectiveness means we also end up seeing large botnets being created as a result.
LW: What are the bad guys who use exploit kits typically after?
Tocuhette: The goal of these attacks is to make or steal money. They cast a net and drag in whatever is found. They’ll take all of the identities and bank account information they can get their hands on. It’s important to realize that Web threats are real and the need to stay protected makes good sense.
LW: What else is important about how website-borne infections are evolving?
Tocuhette: The big take away is that most attacks are specific to the initial “drive-by” attack. Exploited websites redirect your browser to a second, and sometimes third, website where the initial exploit resides and attempts to take over the victim’s computer. The best way to contain these attacks is to recognize such malicious redirects and shut them down before a victim’s browser is able to make it to the point where the malware is delivered.
LW: What should the average Internet user understand about website – borne threats?
Touchette: It’s important to realize that most of these attacks are automated and capable of seeking out vulnerable websites, exploit them and use them to spread malware. It’s not just the back alley websites where malware is kept anymore; it can reside on every day, seemingly innocuous sites. In fact, even reputable sites accidentally serve up malicious software from time to time. That’s why it is important to use a layered security approach and remain vigilant while online