- News & Events
After two years, the unwary or unlucky are still falling victim to a Blackhole exploit kit that infects servers and locks computers until a ransom is paid. As reported on gmanetwork.com, the bad guys have used CPanel and Plesk servers to put 40,000 domains and IPs at risk.
Researcher Sébastien Duquette observed, “Upon infection, most users end up with their computer being locked … and…told to pay a fee of U.S. $300 to unlock (it in a) fraudulent scheme that is known as ransomware.”
The message to the computer user that “requests” payment appears to be a justified charge for services rendered by a legitimate source which can be anyone from Microsoft to the Federal Bureau of Investigation. The payment, of course, does not go to those organizations, which you could say is stating the obvious.
Duquette notes that attackers use Darkleech, a malicious Apache module that is installed on web servers, and openly sold on blackhat forums.
Web hosting companies use Cpanel and Plesk to manage networks which might control hundreds or even thousands of websites. The cybernappers utilize Darkleech to compromise Cpanel and Plesk and infect computers on, or visiting, these networks. Duquette noted that in May 2013, 15,000 of the affected IPs and domains were simultaneously serving a Blackhole exploit.
Specifically how malware is installed on web servers is an open question. Duquette thinks it might simply be through stolen passwords while an article on pcworld.com suggests Darkleech tampers with websites hosted on Apache servers by loading an iframe into a web page. It then redirects a victim to a malicious URL hosting the Blackhole exploit kit, which seeks to exploit unpatched web browsers or vulnerable Java or Adobe Reader plugins.
ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.