All online businesses need a stable and reliable infrastructure. The most advanced advertising campaigns, market entry and customer retention strategies become meaningless if the store’s website is systematically inaccessible and payment acceptance is triggered at a time. All this is also true for the cybercrime business. In this post you will learn how the hacking infrastructure is set up and how criminal services work smoothly.
Each cybergroup has its own specific set of requirements for the network infrastructure. Some need temporary servers for password mining, network scanning or phishing, others need “bulletproof” hosting hidden behind a chain of reverse proxies.
All the variety comes down to a few typical scenarios:.
- hosting sites with illegal or dubious content,
- Management infrastructure hosting,
- hosting of service applications and components,
- hosting of anonymizers, forward and reverse proxies,
- Dedicated servers for scanning and brute force attacks,
- phishing and spamming platforms.
So, the criminal network infrastructure generally consists of the following areas:
- Special hosting services,
- hosting based on compromised servers,
- Services for confidentiality and anonymity,
- DNS services.
Let’s take a closer look at these components and start with special hosting services
Any illegal activity, sooner or later, leads to the attention of law enforcement agencies to the resources associated with it. And then the IP addresses of these resources are blocked, servers are seized, and domains are partitioned. This situation leads to disruption of cyberattacks and the need for costs to organize new infrastructure. To avoid this situation, illegal structures resort to services that are immune to police requests.
Example, Belize and Seychelles law allows hosting companies to ignore all law enforcement requests related to the resources hosted on their premises. As a result, many bullet-proof hosting services are hosted there
Another example is the placement of criminal hosting in a private home. Such an illegal data center, which contained more than 100 servers, was recently discovered and liquidated by the Ukrainian police.
Fast-flux is a fully legal technology used to provide increased service availability and load balancing by constantly switching domain name resolution to a pool of IP addresses. For criminals, this approach provides increased resistance to hacking and interception, allowing them to hide the location of their server. The IP pool is often used to organize a chain of reverse proxy servers and can be provided with several resources: rented cloud VPS, botnet nodes or compromised machines.
The essence of the fast-flux method is to use short TTLs (time-to-live) for A records in DNS. This prevents domain name caching on intermediate DNS servers and forces them to always request permission from the declared servers in the domain name system (DNS). Small TTL values allow cybercriminals with high frequency to direct a domain to IP addresses in a dedicated pool and ensure service availability even if some of the addresses are compromised or banned by the ISP.
The TTL values shown in red are set with an unusually low number of retry attempts and a minimum TTL time (in seconds). Under normal circumstances this will place an additional load on the DNS server, but in the case of fast-flux, the goal is to suppress the caching mechanism so that the client is given the actual IP address currently provided by the fast-flux infrastructure.
The fast-flux services are usually more expensive than bulletproof hosting because their operator has to maintain a pool of IP addresses to provide a fast-flux infrastructure, and this requires additional cost.
Cyber-criminal groups compete with each other no less than legal organizations, and as a means of competition they organize attacks on denial of service of competitors’ resources using Layer4- and Layer7-methods. That is why many bulletproof services offer hosting with protection against DDoS-attacks or DDoS protection service, which can be used for your resource.
As a rule, such services are provided by placing a specialized resource like WAF (Web Application Firewall)
in front of the protected server.
VDS from compromised hosts
Compromised servers are often used for hosting during one or more stages of their criminal monetization life cycle.
Control capture is used:.
- vulnerabilities in server software,
- bruteforce attacks,
- privileged API keys,
- Account theft via connected servers,
- phishing and fraud campaigns.
Password recovery is typically used in attacks on SSH, VNC and RDP services.
The credentials to access the captured servers are subsequently sold at clandestine online stores:
Capturing more secure servers may require zero-day vulnerabilities, which are also offered on cyber forums.
Compromise cloud hosting
From an attacker’s point of view, Google Cloud and Microsoft Azure are extremely accessible resources, since both allow users with a bank card connected to their account to try the services for free. This has led to the attackers actively collecting data from Google accounts with connected bank cards, and then using them to run instances of dedicated servers.
A detailed tutorials are published for novice hackers:.
For those who do not want to bother hacking accounts, there are stores offering already hacked Microsoft Azure and Google Cloud accounts.
Socks, Proxy and Tunnels SSH
SOCKS and proxy services allow cybercriminals to hide without attracting too much attention and without triggering detection with network security monitoring tools.
Due to the demand for this tool, it is relatively easy to find resources offering SOCKS proxies, and you can pay for the purchase in crypt currency.
Another way to hide the communication is to tunnel into legitimate protocols, for example SSH:
The price of SSH tunnels depends on the country of location. Location is very important for some illegal activities. For example, the anti-frod systems of banks correlate the information about the cardholder with the geolocation of the IP-address at which the attempt was made to use it. Therefore, criminals are willing to pay more to buy a tunnel that corresponds not only to the desired country, but also to the city.
Another service in demand in the cybercriminal environment is anonymous VPNs, and in this part the preferences of groups are divided: some prefer to use legal commercial VPNs like NordVPN or ProtonVPN, others rent similar services on the underground market, others create their own infrastructure based on OpenVPN, WireGuard or SoftEther.
One of the signs indirectly indicating that compromised hosts are used to provide VPN services is the indication of the “availability guarantee period” of the service. The smaller the number, the more suspicious these services are. It is unlikely that a legal VPN provider will write in the following terms: “If the provided credentials do not work within the next 24 (48 or 72) hours, the new credentials will be provided free of charge”. But this is exactly what is usually present in offers of illegal services.
Another suspicious sign of a possible criminal nature of anonymizing services is the duration of the contract. Legal VPN-providers provide services for at least one month, while in the criminal environment there are offers of VPN-services for a period not exceeding one day. It is difficult to imagine cases of legal use for which such a short time is enough.
- check the validity of compromised bank cards,
- check the validity of compromised accounts,
- register accounts on cloud or content hosting platforms,
- make fraudulent mailing in social networks,
- start a malicious advertising campaign.
Infrastructure offers of shadow cyber business are not limited to relatively standard services. Looking at ads, you can find quite interesting services, which are still in demand by niche customers, or are gaining popularity trends.
Some vendors offer “bulletproof” mobile workstations that are not accessible to outsiders.
And although formally the policy of this site prohibits the distribution of malicious programs, we found ads on the forum hinting that other malicious actions are allowed:
The proposal mentions complete anonymity, inability to locate the user, high-speed Internet connection, DDoS protection, outgoing traffic mixer and five different VPNs. Despite the fact that the direct scanning of ports, robots and distribution of malware is not allowed, with the help of such ARMs, an attacker can commit other criminal acts.
Traffic Anonymizing Mixers
Tor is not the only way to hide from the vigilant eye of law enforcement and competitors. Services offering “impenetrable” jobs have developed their own traffic mixers using a geographically distributed router network. This traffic is mixed with anonymous VPS traffic, which periodically moves between data centers located in different countries, making it even more difficult to trace such systems.
User services are also available to combine VPN connections, Tor and geographically distributed router sets. These combinations allow to create such a complex chain of hosts and redirectors, which is almost impossible to trace.
For example, one of the services suggests using such a chain:
Host → VPN1 → VPN2 → TOR → gateway for bouncing traffic → traffic mixer → geographically distributed routers for bouncing traffic → remote desktop (RDP) for operation → connection via other geographically distributed routers → Tor servers → output node → destination point.
The research showed that the cybercrime infrastructure is much more developed than many researchers had anticipated. We believe that this very component is one of the most mature aspects of criminal business. Network worms give way to Trojans, browser exploits to targeted phishing attacks, and the business model of information theft is replaced by direct extortion. However, the infrastructure on which all these actions are based remains in demand and is constantly being developed, offering new technically sophisticated services.
Cybercriminals need a reliable service that allows them to act as long as possible, hiding from law enforcement agencies. This demand has spawned an entire industry of semi-legal services that serve cybercriminals, indirectly assisting criminals. The problem is that providing reliable, untraceable hosting services is not illegal in itself. Solving this problem is a very important part of the puzzle for those who fight cybercrime as a global problem.