A web-based malware distribution network that was redirecting around 2 million website visitors a day to compromised websites hosting exploit kits has been disrupted, crippling the malware distribution operation. The web-based malware distribution network – known as EITest – was using compromised websites to redirect web visitors to sites where exploits were used to download malware and ransomware, as well as redirect users to phishing websites and tech support scams that convinced visitors to pay for fake software to remove non-existent malware infections.
Due to the scale of the operation, removing the redirects from compromised websites is a gargantuan task. Efforts to clean up those sites are continuing, with national CERTs notified to provide assistance. However, the web-based malware distribution network has been sinkholed and traffic is now being redirected to a safe domain. Proofpoint researchers were able to seize a key domain that was generating C&C domains, blocking the redirects and re-routing them to four new EITest domains that point to an abuse.ch sinkhole.
The sinkhole has only been in operation for a month – being activated on March 15 – yet already it has helped to protect tens – if not hundreds of millions – of website visitors. In the first three weeks alone, an astonishing 44 million visitors had been redirected to the sinkhole from around 52,000 compromised websites and servers.
The majority of the compromised websites were running WordPress. Malicious code had been injected by taking advantage of flaws in the CMS and plugins installed on the sites. Vulnerabilities in Joomla, Drupal, and PrestaShop had also been exploited to install the malicious code.
The web-based malware distribution network has been in operation since at least 2011, although activity increased significantly in 2014. While previous efforts had been made to disrupt the malware distribution network, most failed and others were only temporarily successful.
The malicious code injected into the servers and websites primarily redirected website visitors to an exploit kit called Glazunov, and to a lesser extent, the Angler exploit kit. Those exploit kits probed for multiple vulnerabilities in software to download ransomware and malware.
The threat actors behind EITest are believed to have responded and have attempted to gain control of the sinkhole, but for the time being those efforts have been thwarted.
How to Improve Security and Block Web-Based Malware Attacks
While it is certainly good news that such a major operation has been disrupted, the scale of the operation highlights the extent of the threat of web-based attacks. Spam email may have become the main method for distributing malware and ransomware, but organizations should not ignore the threat from web-based attacks.
These attacks can occur when employees are simply browsing the web and visiting perfectly legitimate websites. Unfortunately, lax security by website owners can easily see their website compromised. The failure to update WordPress or other content management systems and plugins along with poor password practices makes attacks on the sites a quick and easy process.
One of the best cybersecurity solutions to implement to reduce the risk of web-based attacks is a web filter. Without a web filter in place, employees will be permitted to visit any website, including sites known to host malware or be used for malicious purposes.
With a web filter in place, redirects to malicious websites can be blocked, downloads of risky files prevented, and web-based phishing attacks thwarted.
TitanHQ is the leading provider of cloud-based web filtering solutions for SMBs and enterprises. WebTitan Cloud and WebTitan Cloud for WiFi allow SMBs and enterprises to carefully control the website content that can be accessed by their employees, guest network users, and WiFi users. The solution features powerful antivirus protections, uses blacklists of known malicious websites, and incorporates SSL/HTTPS inspection to provide protection against malicious encrypted traffic.
The solution also allows SMBs and enterprises to enforce their acceptable internet usage policies and schools to enforce Safe Search and YouTube for Schools.
For further information on how WebTitan can protect your employees and students and prevent malware infections on your network, contact TitanHQ today.