Exploit Kit Detection and Tracking: How Area 1 Security Preempts Phishing Attacks
By: Phil Syme |@Area1Security| Area 1 Security
Phishing is big business. Threat actors easily craft attacks that evade the best security defenses, downloading exploits that infect systems and cause billions of dollars of damage every year. But what if security defenses could foresee an attack before it’s launched? By using innovative techniques to proactively detect and track threat actor exploit kit activity in the wild, before attacks launch, Area 1 Security is turning the tables on threat actors and effectively protecting customers from phishing attacks that other advanced security solutions miss.
How Threat Actors Execute Phishing Attacks
One of the many ways phishing attacks can lure victims is through a trusted web page where a malicious payload is downloaded to exploit the victim’s browser. These kinds of attacks are termed “drive-by downloads” — just surfing to these particular malicious pages (or being served a malicious ad within otherwise benign pages) infects the victim. No second click is needed, no download is visible, and the user doesn’t need to enter their credentials — just by viewing the page the user has unwittingly become a victim. Threat actors execute these attacks by compromising web pages or sneaking malicious ads into an ad network.
A “compromised” web page is a web page that has been altered by a threat actor without a system administrator or webmaster’s knowledge. Compromised web servers or websites are extremely common. Most sites that host content management systems (CMS), such as WordPress and others, are easy targets because when a security bug is found in the CMS software, the site is vulnerable to compromise until a patch is deployed to fix the CMS software bug. Threat actors can and do automatically scan the web for any such sites, and then can quickly compromise a site with automated scripts.
Once threat actors compromise a site, the site is then used to serve up drive-by download attacks and is extremely valuable to them. Code that is used as part of such an attack often targets software vulnerabilities announced via public advisories or more rarely, vulnerabilities not yet known to the security community at large, and is a precious commodity to the threat actors. As such, a small cottage industry of malicious entities who rent and sell these exploits to other threat actors has sprung up. The code to package and use these exploits are called “exploit kits” by the security community. The most sophisticated groups host specialized exploit servers (for other threat-actor consumers) termed “gates.” You can think of these exploit kit gates as central servers set up by sophisticated threat actors that deliver malicious payloads — an Amazon of the electronic underworld.
Frequently attackers use a two, and sometimes three-tiered linked architecture to execute these attacks. Malvertising attacks, on-line ads that spread malware, often use this attack method. First, reputable websites are compromised to host malicious redirection code — this is code that causes a browser to jump to a different site and can hide in an HTML “iframe,” which makes the behavior undetectable by a typical user. A second linked server hosts malicious content, and sometimes, the second tier servers also fetch content from a third tier server. This allows attackers to cloak their core servers. The attackers also use multiple tiers to infect users by geographic region or originating country, browser type, and other factors. Because the browser exploit code is so valuable and effective, threat actors take great care in trying to target specific victims and try to be undetectable to the security community.
Proactive Hunting for Threat Actor Infrastructure
To protect from these threats, Area 1’s innovative Exploit Kit (EK) Detection and Tracking technology proactively hunts for compromised web pages and exploit kit gates. The technology discovers malicious sites and payloads weeks and sometimes months in advance of industry benchmarks. Area 1 Horizon’s anti-phishing service uses the resulting early visibility into phishing infrastructure and payloads, plus predictive analysis techniques, to add a layer of security to customer networks that effectively detects and blocks phishing across all attack vectors, including email, web, and network, and protects customers from cyber breaches.
Dynamic Web Crawling
To get ahead of threat actors, Area 1 Security developed EK Tracking technology that crawls the web to hunt for compromised web pages. The technology identifies “Seed” URLs to crawl using data analytics and detection algorithms that look for very specific “fingerprints” associated to such pages.
Samples of these seed URLs include:
- Large-scale breadth-first-search (BFS) and random sampling using a fast static crawl of the web
- URLs and DNS information from Area 1’s globally deployed network sensors
- Passive DNS data
The Area 1 EK detection technology crawls the seed URLs in an intelligent way to detect malicious behavior, payloads and associated threat infrastructure.
How Compromised Web Pages are Detected
The Area 1 EK detection technology can discover a variety of exploits that run on compromised web pages. The technology runs all javascript on a page in the guise of a specific browser and uses signatures and detection algorithms that, given the evolution and final runtime state of a page, can discover malicious behavior. Binary malicious detection algorithms (including machine learning models and other statistical models) can catch if a binary payload appears at runtime. The technology can also track some malvertising campaigns, using similar techniques that scan web ads.
How Exploit Gates are Detected
By analyzing the results from the compromised web page detection, the EK Tracker technology can determine if any of the linked servers that deliver malicious content are EK infrastructure servers. In some cases, accurate detection is complicated because the infrastructure is shared (an IP address can host many domains, some benign, for example) and also, attackers move and rotate their core infrastructure. The resulting threat insight arms the Area 1 Horizon anti-phishing service to detect and block phishing attacks and effectively protect customer systems and data.
Sample Exploit Kits Tracked
Here’s a list of some of the most recent EKs and campaigns that Area 1 currently tracks, including some that have gone dormant but can reappear at anytime:
- RIG EK
- GrandSoft EK
- Underminer EK
- KaiXin EX
- Fobos
- HookAds
- Seamless
- Rulan
- ElTest
- Other unnamed malvertising campaigns
A New Approach to Phishing Defense
It’s clear how threat actors craft their attacks, executing email and web-based attacks via compromised websites and exploit kits, and that reactive defenses fail to protect from these attacks. Effective security requires taking the offensive; getting ahead of threat actors, proactively discovering their infrastructure, and tracking their activity before attacks launch. Only then can security defenses identify and protect from inbound attacks originating from seemingly reputable websites and senders. Area 1 Security is continuously hunting for phishing campaigns and infrastructure in the wild and our Area 1 Horizon anti-phishing service stops the email, web, and network phishing attacks that other security technologies miss. For more information, please visit our website or register for a demo.
