Magnitude Exploit Kit Grows In Popularity Thanks To Free Distribution Model

An exploit kit called Magnitude (formerly known as PopAds) continues to gain popularity among cyber criminals, thanks to its high success probability and an innovative distribution model that doesn’t require ‘customers’ to make a downpayment.

Instead, the team behind Magnitude takes control of up to a fifth of compromised machines, and infects them with ransomware.

US security vendor Trustwave has been tracking the spread of the exploit kit and uncovered eight control servers, three of which are based in the UK, that have been used to infect as many as 210,000 computers per month.

These findings were presented at the annual Black Hat cyber security conference in Las Vegas.

Growing in Magnitude

It is widely believed that Magnitude is filling the void left after ‘Paunch’, one of the alleged creators of the popular Blackhole exploit kit, was arrested in Russia in October 2013. Following the arrest, the service for updating Blackhole was shut down and its malware encryption service became inaccessible.

Unlike Blackhole, Magnitude doesn’t require the users to pay a weekly or monthly fee – instead the creators are taking 5 to 20 percent of compromised machines as payment, then attacking them with ‘Cryptowall Defense’ malware.

“We saw cases where people managed to infect a large number of machines and the portion they had to allocate was smaller, down to five percent. It’s like a volume discount,” Ziv Mador, Director of Security Research at Trustwave, told TechWeekEurope.

Much like the infamous ‘Cryptolocker’, Cryptowall Defense encrypts victim’s files and then demands a ransom in Bitcoin. Trustwave tracked the digital wallets that belong to the creators of Magnitude, and came to the conclusion that the scheme netted them at least $60,000 to $100,000 a week.

“The cybercrime world has become very modular, in a similar way to the world of legitimate business,” Mador explained. “The cyber gang behind Magnitude, what they do best is run those servers, develop those exploits and set up all the infrastructure needed to run a campaign and infect a large number of machines out there, that’s their expertise. The customers, who are obviously also cyber criminals – nothing here is legit – all they have to do is generate traffic to the exploit kit, and provide their malware of choice.”

Magnitude attempted to exploit 1.1 million unique IPs and successfully infected 210,000 computers during a single month of observation. The operation is controlled from three servers in the UK, four in the Netherlands and one in Ukraine. The countries with most victims are the US and Iran, however 6,347 victims were from the UK.

The kit is based around three simple exploits that target older versions of Internet Explorer and Java. Despite its basic structure, Magnitude is surprisingly effective, especially in developing countries – for example, the infection success rate in Vietnam stood at 68 percent.

“The infection rates depend on the level of patching, age of software – old browsers are more susceptible to infection. But it also depends on deployment of security products,” said Mador. He added that organisations in developing countries spend less on security products, which leaves them more vulnerable to cyber crime.

How well do you know network security? Try our quiz and find out!