Realizing the market segment potential of bulletproof hosting services in a post-Russian Business Network (RBN) world — although it can be easily argued that as long as its operators are at large they will remain in business — cybercriminals continue supplying the cybercrime ecosystem with market-relevant propositions. It empowers anyone with the ability to host fraudulent and malicious content online. A newly launched Virtual Dedicated Server (VDS) type of bulletproof hosting vendor is pitching itself to prospective cybercriminals, offering them hosting services for spam, malware, brute-forcing tools, blackhat SEO tools, C&C (command and control) servers, exploit kits and warez. In addition to offering the “standard cybercrime-friendly” bulletproof hosting package, the vendor is also excelling in terms of the hardware it relies on for providing the infrastructure to its customers.
Let’s take a peek inside the infrastructure ‘facility’, and discuss the vendor’s business model in the over-populated market segment for bulletproof hosting services, currently available to prospective cybercriminals.
Sample screenshot of the currently offered bulletproof hosting options:
Sample screenshots of the used HP Smart Arrays in the service’s infrastructure, and the DIY self-monitoring interface:
Sample screenshots of the actual infrastructure ‘facility’ as featured by the vendor of the bulletproof hosting service:
This service and its infrastructure are a great example of ‘purely malicious in-house infrastructure’ purposely set up to facilitate fraudulent and malicious online activity. The “even if it’s there we still don’t care” mentality results in a situation where despite the fact that the vendor’s infrastructure remains online, it can still get blocked by the industry, consequently preventing hundreds of millions of users from (unknowingly) interacting with it. Unfortunately, as we’ve already seen in previous cybercrime-friendly ISP shut downs, this doesn’t really present a problem to the cybercriminals operating it, thanks to the contingency planning in place, allowing them to quickly restore service to their customers.
In retrospect: How cybercrime-friendly ISPs got affected by successful take downs over the years:
- TROYAK-AS: the cybercrime-friendly ISP that just won’t go away
- With or without McColo, spam volume increasing again
- Atrivo/Intercage’s disconnection briefly disrupts spam levels
- Google: Spam volume for Q1 back to pre-McColo levels
- Overall spam volume unaffected by 3FN/Pricewert’s ISP shutdown
We’ll continue monitoring this market segment, and post analyses of newly launched/competing services, in particular the ones differentiating their UVP (unique value proposition) to prospective cybercriminals.