Security vendor Forcepoint has identified a malicious traffic detection system (TDS). Hackers are using the TDS to redirect users to exploit kits. What is interesting is that it doesn’t redirect all users. The blog by researcher Nicholas Griffin looks at how hackers select their victims before sending them to a malicious site.
What is a TDS?
According to Griffin a TDS is: “..a web based gate that is able to redirect users to various content depending on who they are. A TDS is able to make a decision on where to send a user based on criteria such as their geo-location, browser, operating system, and whether or not they have been sent the malicious content already.”
Griffin goes on to explain that hackers are not the only ones using TDS systems. It can also be used to prevent people downloading content that is not licensed in their country. Another use might be to block traffic from suspicious sites.
The hackers are using their TDS to both protect themselves and pick high value targets. Blacklists are used to stop sites being scanned by web crawlers. This prevents the malicious content from being easily identified. Griffin also says that malicious TDS systems use blacklists containing IP address ranges linked to security vendors. This is to extend the life of the site serving up the exploit.
The blog names realstatistics[.]info and realstatistics[.]pro as the sites at the centre of this latest use of TDS. Forcepoint saw a redirect to the sites being added to previously compromised websites. Once the user was redirected the code on those sites examined the users to see if they were to be infected. Interestingly, Forcepoint has declined to publish the criteria for being attacked. That means we don’t know if this was by country, language, operating system or some other criteria.
What is known is that there are a number of other domains that are owned by the same hackers. The blog contains a list of the associated domains. What is interesting about these is that they almost all use the words analytics, statistics or stat in the domain name.
What exploit kits are being used?
Visitors to the sites who are selected for attack are having the RIG or Neutrino exploit kits pushed to their machines. The website Malware Traffic Analysis gives a breakdown of the contents of the zip files sent to infected machines. It also provides information for security teams so that they can spot an infected site.
This attack continues to show how difficult it can be to detect malicious sites. The TDS in use is filtering out web crawlers and security vendors to prevent the attack being detected. Forcepoint warns that there are hundreds of compromised websites with those running this attack actively registering more.