While the latest cyber exploits grab headlines, a less-dramatic side of threat activity also deserves attention: bulletproof hosting services (BPHS). These web hosting sites specialize in providing resilient internet hosting services which are valuable to cyber criminals wanting to avoid regulatory and legal scrutiny. They enable their customers to host data and services that would be disallowed by other providers or could be easily removed by law enforcement.
Gaining real-time insights into BPHS can help your security team better understand – and counter – potential threats.
Threat actors need hosting services, too
Just as legitimate organizations depend on web hosting to store web content and provide internet connectivity, many cybercriminals need third-party infrastructure and services to host malicious websites, content, exploits, and other activities.
To meet this need, BPHS operators deliver web hosting services with a twist: they help customers maintain anonymity and avoid takedowns by regulators and law enforcement agencies.
To do this, hosting providers may:
- Physically locate their servers in countries with fewer laws and regulations about the type of content they host, and less-strict extradition laws. For example, some underground actors perceive The Netherlands or Luxembourg as a “safe” place to host gambling-related content.
- Bribe officials to shield themselves from regulatory action.
- Take a “don’t ask, don’t tell” approach to customer content and activities hosted on their site.
- Provide early notifications of takedown requests so customers have time to move their operations and avoid downtime.
- Support anonymous cryptocurrency payments such as Ethereum, Monero, Bitcoin, or Zcash.
These strategies can make it difficult to investigate and prosecute BPHS operators, particularly when they distribute their assets and operations across several countries. However, occasionally they are charged, apprehended, or extradited. In one case, four Russian nationals pleaded guilty to operating a BPHS that provided hosting and command and control (C&C) servers for malware including Zeus, SpyEye, Citadel, and Blackhole. They were extradited to the United States, where they received various jail sentences from the U.S. Department of Justice.
BPHS operators face competition, customer expectations
Despite their focus on anonymity and evading regulators, BPHS providers mirror their mainstream peers in multiple ways. They face stiff competition that requires advertising, and they often provide customers with value-added features like hosting plans, service tiers, and guarantees. Typical services include:
- DoS protection
- Backup plans
- Domain name registration
- Virtual private servers (VPS) or virtual dedicated servers (VDS).
- 24/7 technical support
One of the competitive differentiators among BPHS providers is the type of infrastructure arrangement they use. There are three primary models:
- Developing a privately owned, in-house/custom data center. Because this type of infrastructure is built specifically for hosting malicious and illegal content, it delivers the highest level of availability and anonymity. From the viewpoint of criminals, a hosting provider with physical control of its infrastructure represents greater security and availability. (One of the most famous BPHS providers of this type was the CyberBunker).
- Leasing commercial infrastructure for an extended period. Some providers lease infrastructure from larger legitimate providers and resell it on the cybercriminal market. They hide customers’ malicious traffic within legitimate network traffic.
- Reselling compromised assets. Some BPHS operators run their service on infected servers whose owners are unaware of having been compromised. This model is usually viable for only a limited time because the legitimate owners may discover the breach to their systems. Criminals typically use this type of BPHS for short-term activities like spam distribution, mass scanning, brute-forcing, or hosting of reverse proxies.
Why you should care about BPHS
Although its extent is hard to quantify, most security experts believe bulletproof hosting supports a significant portion of cybercrime. That’s why it’s important for security teams to learn about BPHS providers, their infrastructure, and how they operate. This knowledge can help your team devise ways to defend against threats launched from BPHS sites.
EclecticIQ recently enhanced its Commercial Sources Feed for EclecticIQ Intelligence Center with exclusive data on cybercriminal infrastructure (IP addresses, domain names, etc.) tied to BPHS providers. This gives our customers a contextual weapon in their arsenal to block attackers instead of having to rely on IP reputation scores. And knowing that a domain is hosted on a service that caters to criminals helps SOC analysts in making a better judgment while assessing incidents or alerts.
Want to know more?
Contact us for details about this unique source of insights into the world of bulletproof hosting.
