An underground hosting service can include the provision of hosting infrastructures, domain name provisions, fast-flux infrastructures, traffic accelerators, virtual and dedicated servers, and virtual private networks (VPNs). Hosted infrastructures are also used to send phishing emails, trade illegal goods on online shops, and host virtual private systems (VPS) that can be used to launch attacks from.
In the first part of our underground hosting research series, we’ll be looking into the underground marketplaces to see what goods and services they offer to hacker communities and how criminal sellers conduct their transactions with criminal infrastructure buyers.
Hosting services allow users to bypass internet restrictions, maintain anonymity, and make forensics tricky. Here are other reasons why they’re used often:
Underground platforms offer a wide range of services that cater to criminal hackers, from bulletproof hosting and proxies to VPSs and VPNs. Interestingly, such services were also observed on forums related to online betting, online marketing, and search engine optimization (SEO) — the services can be used to produce clicks that can influence search engine behavior.
We also found chat groups in online messenger platforms like VK, Telegram, and WhatsApp that were used to advertise the abovementioned services. We could link the ads on underground forums and social networks through the same contact information provided by the sellers. This is contrary to an existing notion that criminals only sell illicit goods in the underground. They also mirror their marketplaces on the surface web.
This is the current state of the cybercrime underground market — well-established with forums packed with offerings and vibrant communities of actors of different maturity levels. Underground marketplaces have evolved and developed structures that mirror legitimate businesses. Sellers have developed detailed business models and monetization systems that accept common means of payment, such as PayPal, Mastercard, Visa, and cryptocurrencies.
The product slate in the underground is diverse. Aside from the garden variety underground offerings of credit card dumps and skimmers, hacking services abound in dedicated shops, offering dedicated servers, SOCKS proxies, VPNs, and distributed denial-of-service (DDoS) protection.
Underground forum sections related to hosting and VPNsUnderground forums could have tens and hundreds of posted topics. A certain forum, for instance, can have over 10,000 topics and 25,000 posts related to proxies and VPNs only. Law enforcement action against forum users is also widely discussed in underground threads.
We found official resellers of public hosting services to be advertising in underground forums. These hosting providers have legitimate clientele and advertise on the internet. However, several resellers cater to criminals in the underground, either with or without the company’s knowledge. This shouldn’t come as a surprise since criminals may also wish to avail and make use of such services that tout excellent features.
We spotted underground actors sharing reference links from hosting providers and even earning referral money from the community. Hosts are commonly discussed and advertised by criminal actors for their anonymity and abuse-handling (or no-handling for that matter).
An advertisement for a bulletproof hosting service provider Unlike regular hosts, providers that are advertised as bulletproof are typically used to host malicious content such as malware repositories, phishing sites, pornography, vulnerability scanners, and spammers. These providers ignore abuse reports and allow cybercrime operations to be orchestrated on their servers. This makes facilitating takedowns even more difficult in countries with lenient cybercrime laws, which may hinder law enforcement investigations.
Like any business that sells goods and services to potential buyers, criminal sellers also advertise. Sellers use different platforms to promote their products and services: chat channels, hacking forums, and social media posts.
For instance, we found a hosting service advertised on the social network VK. In the underground, it is positioned as suitable to carry out brute-force attacks and run mass internet scans via Masscan, Nmap, and ZMap.
A Telegram channel that shows compromised assets to advertise their servicesTelegram, for instance, has become a point of contact for services advertised in underground forums. In some cases, it is used as a platform for advertising services. Dedicated chats and bots are also used to sell servers and other compromised assets such as hosts with RDP access and VPNs.
Better awareness of the underground is crucial in helping organizations, the InfoSec community, and law enforcement to manage and reduce cybercrime. Detailed findings can be read in our full paper, “The Hacker Infrastructure and Underground Hosting: An Overview of the Cybercriminal Market,” which provides insights into the workings of an underground economy and the foundations of online criminal infrastructure.
More underground hosting research:
Like it? Add this infographic to your site:1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. View the report
The upheavals of 2020 challenged the limits of organizations and users, and provided openings for malicious actors. A robust cybersecurity posture can help equip enterprises and individuals amid a continuously changing threat landscape. View the 2020 Annual Cybersecurity Report
buy cvv shop dumps tr cc