Cyber crime: Exploit kits in the enterprise

Security exploits

Exploit kits are particularly prevalent at the moment in the UK. They are largely responsible for the 600 per cent increase in the use of malicious web links as an attack vector, according to recent research by security vendor Websense.

The growing adoption of exploit kits within the cyber criminal fraternity is impacting upon the enterprise in terms of the probability that data will be stolen and productivity will be lost. "Combining exploit kits, custom encryption to evade AV detection with the acceleration of new attack techniques, emerging zero-day vulnerabilities and the fact that exploit kits are underground (consumer based products designed to support rapid updates), it is likely that even perfect patch management will still leave windows of exposure with some of the advantage going to cybercrime," according to Elad Sharf, lead senior security researcher at Websense.

But why, then, are exploit kits so popular? That's a simple one to answer: they make hacking easy. "It's the difference between having to understand Internet Protocol and code used to put up a website back in the early 1990's compared with pointing and clicking to post to Facebook today," Kevin O'Reilly, lead security consultant with the assurance team at Context Information Security, puts it.

"The posting of exploit kits on the Internet is like handing out grenade launchers to vandals" O'Reilly explains, adding "criminals with minimal technical skills can buy a point-and-click kit to create takeover software." This can then be uploaded to an automatically cloned copy of a legitimate website and even handle the emailing of the malicious links to targeted victims in your enterprise.

Exploit kits unplugged

An exploit kit is simply a cyber crime tool that is sold as an off-the-shelf product bundle usable without the kind of technical hacking skills required in days past. But what does this bundle actually contain? IT Pro asked Wolfgang Kandek, CTO at on-demand vulnerability management and policy compliance solution provider Qualys, for the component breakdown of a typical exploit kit:

1. Coded exploits for vulnerabilities in browsers and plug-ins.

2. A web admin console, showing results such as how many machines are infected, in what countries, using what browsers and detailing the best exploits and campaigns in terms of breach success.

3. A database to store all relevant data.

4. The include' of files to be hosted on a web server which can then be implemented by the sites that will be used to infect their visitors.

5. The sites that will be used to infect visitors, either setup specifically for that purpose to attract traffic by convincing search engines to link to them (using Search Engine Poisoning techniques) or more commonly sites that were hacked by the attacker. A current example is the site which was involved in the attacks on Apple, Facebook and Twitter. It notes: "A single administrator account was compromised. The hackers used this account to modify our theme and inject JavaScript into our site". The JavaScript inject' mentioned by iphonedevsdk is one of the include' files provided by the exploit pack.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at