Cybersecurity firm Trend Micro has published the final piece of its online crime market research. It provides recommendations for countering illegal hosting.
A new report from Trend Micro completes a series of three studies on the illegal hosting market. The first part, entitled ” Infrastructure of hackers and illegal hosting, “revealed how the market for illegal Internet services works, how and where cybercriminals find the infrastructure for their actions. The second part describes how criminals use compromised on-premises and cloud servers and identify such hacks. In the last part, the researchers describe methods of fighting the bulletproof hosting (BPH) industry.
BPH is intended for resources with obviously illegal content. Most often, such hosting is used by spammers, online casinos, and porn resources.
“Bulletproof hosting is the backbone of a cybercriminal infrastructure that uses a sophisticated business model to combat attempts to shut down illegal resources,” underlines Trend Micro. …
The researchers emphasize that the level of “survival” of such hosting largely depends on their operators’ adaptability.
If some kind of clandestine operation is discovered by the authorities, the operator can quickly set up new front companies, and the upstream provider can simply transfer entire groups of IP addresses to new companies.
Some ISPs may move their Virtual Dedicated Servers (VPS) to make law enforcement harder to detect and block them. Combined with reverse proxy servers, these hosts can provide high service availability.
Researchers note different approaches of the authorities to the fight against this or that type of content. For example, in China, the attitude towards hosting is softer, serving mass advertising mailing to foreign addresses. Simultaneously, hosting sites associated with online casinos or hosting political content can attract the attention of local regulators much faster. In Russia, they are very tough on distributing porn content, information about drug-containing substances, and political content.
In countries such as Switzerland or the Netherlands, clandestine hosting providers take advantage of local laws whereby authorities first issue an infringement warning, threatening search or arrest. These warnings allow criminals to set up new front companies and transfer servers quickly.
Regional and country differences mean that buyers of relevant traffic or services can choose the countries where their activities will be the least risky and more profitable on illegal exchanges. For example, spamming with hosting in one country and managing an online casino from another.
Trend Micro analysts give companies, organizations, corporate or government IT security the following tips to detect and combat clandestine hosting:
- Determine which ranges of IP addresses are on public blacklists.
Look out for addresses that are associated with a large number of public inquiries about abuse, as
- this could indicate BPH activity.
- Analyze the behavior of autonomous systems and peering data – this can also help identify BPH-related activity.
- After locating one host, BPH uses the resulting digital fingerprint to find others associated with the same provider.
The report also lists methods used by law enforcement and other organizations to shut down clandestine hosting companies without having to find or shut down their servers:
- Submitting duly documented abuse requests to a suspected illegal hosting provider and its upline partners.
- Adding BPH IP ranges to popular blacklists.
- Raising BPH’s operating costs to undermine the profitability of their business.
- Undermining the BPH provider’s reputation in the cybercriminal underground – creating accounts on underground forums, the posts that will question BPH’s safety, or discuss its possible cooperation with the authorities.