I think you’ll agree with me when I say that the era of “I’m not important enough to get hacked” is long gone.

Although this attitude stubbornly persists, the facts show us that, as long as you have an email address or share any kind of data on the web, you’re a target. If you have a website, even more so.

It’s not that cyber criminals care about the contents of your website. Not at all. What they want is to gain control over it so they can use it as a platform for distributing malware.

The latest campaign analyzed by our team shows exactly how attackers are using small websites to broaden their malicious reach.


Thousands of small websites hacked – is yours safe?

Automation is key for this type of attack. At the beginning of 2016, our team observed that the Angler exploit kit infrastructure is very active.

Although these spikes in activity usually don’t last too long, here we are, a month later, dealing with the same highly engaged Angler. What’s making this possible is the malware economy, especially its exploit kits-as-a-service branch, which makes kits such as Angler or Nuclear highly available to anyone who has the resources to buy and use them.

Attackers have an established way of compromising websites they can later use as platforms for drive-by attacks.

Stage 1

They either:

  • Find the website’s admin account and hack the credentials
  • Or get into the admin console by using the same method
  • Or they can compromise the server that is used to host the website
  • Or even use vulnerable programming scripts to inject infected code.

Website owners don’t exactly make it difficult, since they use default settings and credentials, such as “admin” for both username and password. That takes under a minute to crack.

If this is you, then you need to change your passwords and usernames. Now.

Stage 2

They embed malicious Javascript code in the compromised websites. The infected code is used to move traffic and redirect the victims to web pages that host the Angler exploit kit.

The problem here is that the websites that unwillingly host Angler are usually legitimate domains. By using stolen or cracked credentials, cyber criminals can log into the victim’s domain registrar, where they can set up new subdomains. This technique is called domain shadowing. By registering many subdomains and IP addresses, attackers can avoid blacklists and significantly enhance their distributions channels for the notorious Angler exploit kit.


Heimdal Security has already blocked over 30.000 such domains since the beginning of 2016.

Here is a small sample of these compromised websites, coming primarily from the Nordics, but not limited in reach to this particular region:

Fya [.] com
ergonomics [.] com
DRCMR [.] com
restad [.] com
eqapp [.] com
Mobile city [.] com
cense [.] com
jbgolf [.] com
ranpro [.] com
OneSystems [.] com
oak-o [.] com
Norlax [.] com
kayak polo tournaments [.] com
master-mal [.] com
accordion festival [.] com
man shelter [.] com
green machine [.] com
rigoroso [.] com
lifemabs [.] com
contact.drcmr [.] com
bordingpro [.] com
seo-analysis [.] com
circle energy [.] com
galleryartnature [.] com

We can clearly tell that small websites are the target here, and that their owners probably have no idea that cyber attackers are using their websites to spread CryptoWall.

small websites spreading angler exploit kit and ransomware graphic


Stage 3

Once they end up on the Angler-hosting web page, the victims are subjected to a drive-by attack. All it takes to get infected is to end up on the infected domain. No user interaction, such as a click or a download, is involved.

Angler will sniff for vulnerabilities in your outdated software apps (browser, browser plugins, VLC, Java, Silverlight, etc.) and will use security holes to gain administrator rights over your computer.

Once it does that, Angler will drop the payload (the part of malware which performs a malicious action), which, in this case, is from the CryptoWall ransomware family. Although we cannot confirm which CryptoWall variants are being unleashed at this point, we’ve seen Angler distribute CryptoWall 4.0 before, so it can certainly do it again.

Stage 4

The payload will communicate with the servers controlled by cyber criminals to retrieve the encryption key. As a consequence, all the victim’s data will be encrypted, and a ransom will be requested in exchange for the decryption key. The payment will vary, but it generally amounts to $500.

This lead to a rather worrying situation, in which not only individual users, but also companies and public authorities are affected by ransomware. The most common cause is that the hacked computers didn’t have all the available updates installed, both for apps and for the operating system.

Software updates play a key role in preventing cyber attacks and should be applied diligently. Especially since antivirus detection for these infected domains is nonexistent:

infected website 1

infected website 2


Why cyber criminals target small websites

Cyber attackers are taking advantage of two core factors at this time: the fact that access to technology has become pervasive and the fact that cyber security education has a difficult time keeping up with the fast pace of technology adoption.

Small website owners are a sure-fire targets for them, because:

  • They don’t have the technical skills to protect their websites on multiple levels (servers, admin console, admin account, plugins, etc.)
  • They don’t understand the need for protection;
  • They assume that cyber criminals are not interested in them or their data;
  • They cannot afford sophisticated cyber security products that can protect their websites or don’t know how to implement them;
  • They often rely on external unqualified service providers to set up their website, and not all providers are concerned with website security;
  • They never trained themselves on cyber security issues, so they’re not even aware that such attacks can happen;
  • They use weak credentials that can be easily cracked.

That’s why we always insist on learning the basics of cyber security, at least through a beginner’s course, so that everyone can establish a baseline for protection against cyber attacks. This can certainly be done though both a common and an individual effort.


Campaigns and exploit kit activity such as this one are slowly becoming the norm. And we, as users, as employees in companies, don’t always make cyber criminals’ lives more challenging. But that can change, bit by bit, as we put a bit more energy and time into our protection. The age of cyber security innocence must come to an end and leave room for self-awareness and self-protection.

Ransomware Explained. What It Is and How It Works

Here Are the Free Ransomware Decryption Tools You Need to Use

The Ultimate Guide to Angler Exploit Kit for Non-Technical People


Leave a Reply

Your email address will not be published. Required fields are marked *