Exploit Kits – The Automation of Cybercrime

Today, we’re unveiling the Infoblox DNS Threat Index -, powered by IID, for the third quarter of 2015. The most alarming statistic in this quarter’s report is a surge in creation of Domain Name System (DNS) infrastructure for exploit kits – up 75 percent from the same period a year ago.


Exploit kits are such a big concern because they represent the automation of cybercrime. These pre-packaged collections of malware can be created by sophisticated hackers and then sold or rented out to petty criminals who want can use them to attack businesses, schools or government agencies – with little experience required.


The main function of exploit kits is delivering a malicious payload onto a computer or mobile device. The payload can encrypt a device’s data to hold it for ransom, quietly exfiltrate data, crash networks, and unleash other forms of mayhem.


Exploit kits are tough to stop because they often take advantage of zero-day vulnerabilities, as well as security holes in popular operating systems or software. Users are lured through phishing emails or malicious advertising to visit a compromised website. When a user “drives by” this site, the payload is delivered.


According to the Infoblox DNS Threat Index, Angler is the most widely used exploit kit. Recently, a major British newspaper, which has hundreds of millions of monthly visits to its website, was hit with Angler. This attack resulted in malicious ads being displayed for a period of four to five days, exposing visitors to infection if they clicked on those ads.


Last month, Cisco's Talos security group reported disrupting a major part of the Angler network infrastructure, including the servers of a targeted service provider, as described in this blog. The malicious operation generated an estimated $30 million annually for the perpetrators – proof that cybercrime pays, at least in short bursts. Although the exploit kit infrastructure was disrupted, it is likely just a matter of time before hackers rebuild and resume operations.


Protecting your applications and data from exploit kits requires proper security training for employees along with processes for risk management and mitigation. Employees need to know what traps to avoid, such as emails that don’t seem quite right and dodgy websites. Networking and security teams need to go beyond traditional perimeter defenses to address what happens once malware gets inside the network.


DNS is an essential protocol for cybercriminals who build exploit kits, but can also be a powerful point of control for blocking attacks. Monitoring DNS queries for traffic to known malicious destinations, combined with analytics to recognize suspicious behavior, can give an early warning when exploit kits and other threats have breached an organization’s firewall.


We invite you to visit to view the full report – no registration required – and to learn more about securing DNS.

Showing results for 
Search instead for 
Do you mean