Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:59 AM
Connect Directly

Honeynet Project: Attackers Know Where You Live

Bad guys find ways to make Web exploits more efficient, targeted, and lucrative, new report says

The bad guys behind malicious Websites are starting to apply geographic intelligence to better target and make money from their victims, according to a soon-to-be released report by the Honeynet Project.

Honeynet researchers studied three popular Web exploitation kits -- WebAttacker, MPack, and IcePack -- and found that some attackers are using a feature in MPack called "geolocation-dependent triggering," which makes it possible for malware to pick up geographic clues and to infect only the users from a certain country or region.

What scares Honeynet researchers is that this feature could easily be used to avoid specific networks, such as those of known antivirus companies or research firms, making it harder for the good guys to discover the malware.

"I think this is a concerning development," says Christian Seifert, author of the report and a researcher from Victoria University in New Zealand and a member of the New Zealand Honeynet Alliance, a Honeynet Project affiliate. "It will prevent these vendors and institutions from discovering malicious servers and therefore won't allow them to effectively protect their customers."

Seifert and his colleagues also studied the use of Web exploitation kits, which allow an attacker to gain control of a user's machine from a malicious Web page. Such kits also maintain statistics databases that record information about infected client machines, whether the attack was successful, and how effective certain exploits are proving to be. This intelligence helps the attacker replace an ineffective exploit with another, more lucrative one.

"This is a sniper, not a shotgun" approach, says Ralph Logan, vice president of the Honeynet Project and principal with The Logan Group. "What's scary is that they can [drill down and] look at an Internet service provider that mostly provides services in a financially secure geo-location, for example. They can then take the largest ISP in the U.S. and break it down by geo-location and attack users in Beverly Hills, instead of Topeka, Kansas."

Logan says an attacker would combine this approach with social engineering and phishing methods to become more efficient in his attacks, and to earn a better return on his investment. "This ability to geo-locate for focused attacks, and to track attack history, is the type of attack scenario that is on the horizon," he says.

The report is a follow-up to the Honeynet Project's August "Know Your Enemy: Malicious Web Servers" paper, which concluded that even seemingly "safe" sites can infect users' PCs. (See Report: Web 'Mean Streets' Pervasive).

The latest report states that many kits target weaknesses in Web browser plug-ins. "This makes sense from an attacker's perspective; defenses of OS -- and even client applications such as browsers -- are becoming stronger" and more regularly patched, Seifert says. "Plug-ins are more static vulnerable entities on a computer system. Many do not have automated update mechanisms and, if vulnerable, will remain vulnerable on a computer system -- leaving a successful attack path."

The researchers also found that they could identify Web pages that were infected with specific Web exploitation tools, based on their behaviors and signatures. "This is something I haven't seen done before," Seifert says. "We were able to assess that 4.24 percent of the malicious URLs we encountered made use of the MPack Web exploitation kit. I think this is a promising technique to track these servers."

Seifert says the detection capability could allow users to blacklist malicious Web servers that contain those kits. "However, this technique will only be successful if security vendors are able to continue to effectively find these malicious Web servers," he says. "[But] with techniques like IP tracking, targeting plug-ins, and network specific triggering, this might not be ensured for the future."

The new Honeynet Project report also dispelled one finding from its previous malicious Web servers report. Seifert and his colleagues concluded in the August report that Internet Explorer 6 SP2 was the most likely browser to get infected by these malicious Web server attacks.

Not so, says the new report: The researchers had used older versions of Mozilla Firerfox, Opera, and IE, and didn't include the latest plug-ins, which may have skewed their results. Firefox and Opera are also being attacked via plug-ins such as Microsoft Windows Media Player, the report says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.