We’ve recently spotted a multi-hop Russian cybercrime-friendly VPN service provider — ad featured not syndicated at a well known cybercrime-friendly community – that is relying on fake celebrity endorsement on its way to attract new customers, in this particular case, it’s pitching itself as being recommended by ex-NSA contractor Edward Snowden. How have anonymization tactics evolved over the last couple of years? Have the bad guys been ‘innovating’ on their way to cover the malicious/fraudulent online activity orchestrated by them? Let’d discuss some of the current trends in this ever-green market segment within the cybercrime ecosystem.
Sample ad featured at the cybercrime-friendly community:
It didn’t take long for cybercriminals to realize the massive potential for abusing already created botnets, in terms of utilizing them as anonymization-based type of infrastructure. Empowering them with the necessary foundations for launching attacks relying on the ‘stepping-stones’ concept, completely mixing the malicious/legitimate logs-free anonymization infrastructure, or setting up multi-hop cybercrime-friendly VPN service providers, these practices added additional layers of anonymity to their Internet activities, primarily relying on basic ‘risk-forwarding’ tactics. Next to the utilization of these concepts, the massive/de-facto adoption of Socks4/Socks5 modular features, found in a huge percentage of modern malware/crimeware/platform releases, helped opportunistic cybercriminals to quickly monetize the market segment, by empowering others with the same capabilities through their “cybercrime-as-a-service” type of underground market propositions.
Throughout 2013, we continued to observe a decent supply of “hacked-PCs-as-a-service“, with some of the market-leading/well known/reputable vendors, still in operation. Moreover, thanks to the general availability of Socks4/Socks5 converted anonymization hosts, we also continue to observe a decent supply of CAPTCHA-based proxy-supporting DIY automatic account registration/brute-forcing tools, Denial of Service (Dos) attack tools relying on hacked/compromised PCs, as well as the now de-factor standard for the cybercrime ecosystem, use of APIs for the purpose of supplying fellow cybercriminals with access to fresh IPs with clean IP reputation.
We expect to continue observing a mix between a purely malicious infrastructure, in combination with legitimate logs-free infrastructure, for the purpose of anonymizing a cybercriminals online activities, successfully bypassing current data retention regulations in place.