The dark side of web hosting services

As the latest cyber exploits grab the headlines, a less dramatic aspect of threat activity also deserves attention: Bulletproof Hosting Services (BPHS). These web hosting sites specialize in provide resilient internet hosting services that are valuable to cybercriminals want to avoid regulatory and legal controls. They allow their customers to host data and services that would be prohibited by other providers or could be easily removed by law enforcement.

Getting real-time information from BPHS can help your security team better understand and counter potential threats.

Threat actors need accommodation services too

Just as legitimate organizations depend on web hosting to store web content and deliver In Internet connectivity, many cybercriminals require third-party infrastructure and services to host malicious websites, content, exploits, and other activities.

To meet this need, BPHS operators offer web hosting services with a twist: they help customers maintain anonymity and avoid takedowns by regulators and law enforcement.

To do this, hosts can:

  • Physically locate their servers in countries with fewer laws and regulations on the type of content they host and less stringent extradition laws. For example, some underground players perceive the Netherlands or Luxembourg as a “safe” place to host gambling-related content.
  • Bribing officials to protect themselves from regulatory action.
  • Adopt a “don’t ask, don’t tell” approach to the content and activities of customers hosted on their site.
  • Provide early notifications of withdrawal requests so customers have time to move their operations and avoid downtime.
  • Anonymous support cryptocurrency payments such as Ethereum, Monero, Bitcoin or Zcash.

These strategies can complicate the investigate and prosecute BPHS operators, particularly when they spread their assets and operations across multiple countries. However, they are sometimes charged, apprehended or extradited. In one case, four Russian nationals pleaded guilty to the operation of a BPHS which provided hosting and command and control (CC)waitersfor malware, including Zeus, SpyEye, Citadel, and Blackhole. thethere were extradited to the United States, where they were sentenced to various prison terms by the United States Department of Justice.

BPHS operators to face the concurrencecustomer expectations

Despite their emphasis on anonymity and evading Regulators, BPHS providers mirror their traditional peers in multiple ways. They face fierce competition that requires advertising, and they often offer value-added features to customers such as hosting plans, service levels and warranties. Typical services include:

  • DoS Protection
  • Backup plans
  • Domain name registration
  • Virtual Private Servers (VPS) or Virtual Dedicated Servers (VDS).
  • 24/7 technical support

One of the competitive differentiators among BPHS vendors is the type of infrastructure arrangement they use. There are three main models:

  1. Develop a private, in-house/custom data center. Because this type of infrastructure is built specifically to host malicious and illegal content, it offers the highest level of availability and anonymity. From the perspective of criminals, a host that physically controls their infrastructure represents greater security and availability. (One of the best known BPHS vendors of this type was CyberBunker).
  2. Rental of commercial infrastructure for an extended period. Some providers renting infrastructure from large, legitimate vendors and reselling it in the market for cybercriminals. They hide malicious client traffic inside legitimate network traffic.
  3. Resell compromised assets. Some BPHS operators run their service on infected servers whose owners are unaware that they have been compromised. This model is usually only viable for a limited time, as legitimate owners can discover the breach in their systems. Criminals typically use this type of BPHS for short-term activities such as spam distribution, mass scanning, brute forcing, or hosting reverse proxies.

Why You Should Care About BPHS

Although its extent is difficult to quantify, most security experts believe that bulletproof hosting supports a significant portion of cybercrime. That’s why it’s important for security teams to familiarize themselves with BPHS vendors, their infrastructure, and how they operate. This knowledge can help your team design ways to defend against threats launched from BPHS sites.

EclecticIQ recently upgraded its Commercial Ssources To feed for EclecticIQ Intelligence Center with exclusive Data to cybercriminal infrastructure (IP addresses, domain names, etc.) related to BPHS providers. This givess our clients a contextual armed in their arsenal to block attackers instead of have to count on on the IP reputation scoreare. And knowing that a domain is hosted on a service that caters to criminals helps SOC analysts to better judge wwhen evaluating incidents or alerts.

Want to know more?

Contact us for more details on this one-stop source of information about the rock-solid hosting world.

*** This is a syndicated blog from the EclecticIQ Blog Security Bloggers Network written by the EclecticIQ Threat Research Team. Read the original post at:

Comments are closed.