The source code of the RIG exploit kit was leaked by an unhappy reseller a couple of months ago. This has had two consequences: security firms have been able to establish how it works but other hackers can begin to use it more easily.
As Business Insider reports, security research firm Trustwave has found that one hacker, believed to be working on his own as a “lone wolf” is now using the tools that comprise RIG to infect over 27,000 computers everyday. This results in around 500,000 malware installations each month — six million in a year.
This high infection rate is achieved by using an automated spambot to send over one million bogus emails each day, convincing people to click links to buy products or install software using traditional spam tactics. The 27,000 who respond each day end up with their computer being compromised by malware delivered by version 3.0 of the RIG exploit kit.
This technique has proven to be rather profitable for the hacker behind it all so there’s little chance of the attack slowing down soon. Trustwave conservatively estimates that the lone wolf responsible for the spam is earning between $60,000 and $100,000 every month as a reward for overseeing his massive automated email system.
Trustwave says that the spam is being delivered using the Tofsee bot, controlled by one person known as “Customer X”. Customer X is the single biggest RIG 3.0 customer and currently represents 70 percent of all successful infections.
The discovery is alarming because it shows RIG is still healthy and very active despite its source code being freely available. The creators have recovered from the leak by releasing a new version which uses the same concepts but makes several changes to keep law enforcement away.
As part of its research, Trustwave found that 90 percent of all traffic to RIG comes from malicious adverts on websites. Although no fault of the site owners, the attackers using RIG have successfully compromised ad networks to hijack Alexa 3000-ranked news sites, investment consulting firms and IT solution providers.
As a result, the exploit kit seems to be stronger than ever and is now infecting more machines per day than at any other time in its history. It’s important to remember to never click a link in an email that looks like spam and to report any suspicious-looking adverts you see on major websites.
