Ransomware creators are always looking for new ways to distribute their malicious programs to more computers. In order to make proceeds, the developers need to have a lot of people pay the ransom. The cost for maintaining the servers, required to run all processes, is quite high.
Creating the virus is only the first step towards the promise land. The cyber criminals need to send a large amount of spam emails to get users’ machines infected. Statistics show that only around 10% of all email recipients are tricked into having their system infected. About 50% of the eventual victims end up paying the ransom. This makes the success rate of the spam campaigns around 5%. A mailing server is required to send out an adequate number of messages. The cost for maintaining a server is formidable.
New ways for increasing the effectiveness of the attacks or lowering their cost are always welcome. Cisco’s OpenDNS team reports that the owners of Locky ransomware have discovered a method of distributing their program through external devices.
The researchers found that the spammers have been exploiting a PHP vulnerability in a web-to-email service since mid-July. The flaw allows hackers to access other servers and use them to distribute the malicious program.
The cyber criminals hacked a web form and made it send messages to email accounts of their choose rather than address letters to their designated recipients. The emails contain the executable of Locky ransomware.
Patching the PHP vulnerability only takes a simple update
OpenDNS team member Brad Antoniewicz shared the result of their observations on the attacks. The researchers have found that the core of the issue lies in a PHP contact form script.
This same vulnerability has been found in other web-based products in recent memory and reported. This is the first instance when it was discovered in this particular script. Since the issue was brought to the attention of the web form developers, they included a fix in a recent update.
Antoniewicz commented on the research team’s observations, stating the following: “We were unable to find any publicly reported instances of these vulnerabilities in the specific PHP webforms we saw being abused.”
The researcher urged users to update their web forms in order to fix the problem. “We did reach out to the vendor(s) we could identify, requesting contact information, but received no reply to date and thus we’re choosing not to identify the specific applications containing the vulnerabilities. Updating to the latest version of your PHP web-to-email form should fix the issue.”
