Cyber-crooks like Firefox and Opera. At least that’s the conclusion from new research by Purewire.
According to Paul Royal, principal researcher at Purewire, who recently tracked 15 exploit kit operators from all over the globe, Mozilla Firefox and Opera were the most popular Web browsers used by exploit kit operators. Some 46 percent used either Firefox 3.0 or 3.5. Twenty-six percent used Opera 9.6. Internet Explorer 6.0 is used by 13 percent of the kit operators.
Royal’s findings are interesting because as far as overall market share, Internet Explorer remains the leading Web browser. However, it is also the most attacked browser in the bunch, perhaps for that very reason. Royal speculated that attackers are keenly aware of the fact, and are more likely to run Opera or Firefox because they are less likely to be targeted.
Interestingly, the U.S. and Russia are both home to 20 percent of the exploit kit operators. Twenty-six percent of the kits themselves are hosted in the U.S., while the Netherlands, China and Latvia are home to 13 percent apiece.
“Given the associated difficulty with operator identity discovery and prosecution, the high incidence of operators living in the U.S. does not surprise me,” Royal said. “What is most interesting is exploit kit operators are careful to keep at least one country’s worth of distance between themselves and the exploit kits.”
Since the operators often distance themselves from their activities, it cannot be assumed they live in the same country in which their kit is hosted, he added.
“Instead of looking at hosting locations, I’m getting data on exploit kit operators by leveraging vulnerabilities in the kits themselves to get criminals to contact a Web server I control when they access certain parts of a kit’s admin control panel; this technique reveals their IP and browser User-Agent.”
Royal said he is turning his findings over to law enforcement.