Trend Micro unveiled new insights analyzing the market for underground hosting services and detailing how and where cybercriminals rent the infrastructure that hosts their business.
Over the past five years, increased use and abuse of compromised assets has formed a whole new market. There are varied types of underground hosting and associated services used by cybercriminals to operate their businesses, including bulletproof hosting, VPNs, anonymizers, and DDoS protection.
Such services could variously be used to protect availability, maintain anonymity, disrupt forensics, obfuscate physical location, and enable IP spoofing, among other things.
“For over a decade, Trend Micro Research has dug into how cybercriminals think, as opposed to focusing only on what they do, which is critical when it comes to protecting against them,” said Robert McArdle, director of forward-looking threat research at Trend Micro.
The cybercrime industry
Cybercrime is a highly professional industry, with sales and advertisements leveraging legitimate marketing techniques and platforms, all driven by cost to some extent. For example, one advertisement was found for dedicated, compromised servers based in the US starting at just $3, rising to $6 with guaranteed availability for 12 hours.
Although many of these services are traded on underground forums, some of which are invite-only, others are clearly advertised and sold via legitimate social media and messaging platforms such as Twitter, VK and Telegram.
In fact, the line between criminality and legitimate business behavior is increasingly difficult to discern. Some hosting providers have a legitimate clientele and advertise openly on the internet but may have resellers that sell exclusively to the criminal underground – either with or without the company’s knowledge.
In the case of bulletproof hosters, which are more definitively linked to cybercrime, they are generally regular hosting providers trying to diversify their business to cater to the needs of specific customers. For a premium price, they’re prepared to push to the absolute limit of what the law allows and prosecutes in their local jurisdiction.
Understanding where and how these services are sold, and consequently impacting the cost of these sales, is arguably our best strategy to help make a lasting and repeatable dent in the cybercriminal underground market.