There are varied types of underground hosting and associated services used by cybercriminals to operate their businesses, including bulletproof hosting, virtual private networks (VPNs), anonymizers, and Distributed Denial of Service (DDoS) protection
Criminal businesses need hosting services and cybersecurity protections too, according to Trend Micro’s study. The study analyzes the market for underground hosting services and details how and where cybercriminals rent the infrastructure that hosts their business. The study details the market for buying and selling these services, which are the backbone of every other aspect of the cybercriminal business model, whether that includes sending spam, communicating with a command and control server, or offering a help desk for ransomware.
Over the past five years, increased use and abuse of compromised assets has formed a whole new market. There are varied types of underground hosting and associated services used by cybercriminals to operate their businesses, including bulletproof hosting, virtual private networks (VPNs), anonymizers, and Distributed Denial of Service (DDoS) protection. Such services could variously be used to protect availability, maintain anonymity, disrupt forensics, obfuscate physical location, and enable IP spoofing, among other things.
“For over a decade, Trend Micro Research has dug into how cybercriminals think, as opposed to focusing only on what they do, which is critical when it comes to protecting against them,” said Robert McArdle, director of forward-looking threat research at Trend Micro. “The study focuses on how these criminals approach their infrastructure needs, and the markets that exist for such commodities. We hope that providing law enforcement and other stakeholders with a go-to resource on this topic will help to further our collective mission of making the digital world a safer place.”
Cybercrime is a highly professional industry, with sales and advertisements leveraging legitimate marketing techniques and platforms, all driven by cost to some extent. For example, one advertisement was found for dedicated, compromised servers based in the US starting at just USD 3, rising to USD 6 with guaranteed availability for 12 hours. Although many of these services are traded on underground forums, some of which are invite-only, others are clearly advertised and sold via legitimate social media and messaging platforms, such as Twitter, VK and Telegram.
In fact, the line between criminality and legitimate business behavior is increasingly difficult to discern. Some hosting providers have a legitimate clientele and advertise openly on the internet but may have resellers that sell exclusively to the criminal underground – either with or without the company’s knowledge.
In the case of bulletproof hosters, which are more definitively linked to cybercrime, they are generally regular hosting providers trying to diversify their business to cater to the needs of specific customers. For a premium price, they’re prepared to push to the absolute limit of what the law allows and prosecutes in their local jurisdiction.