|
Tweet Follow @spamhaus |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() Spamhaus Botnet Threat Update: Q4-2021 SERVICE UPDATE | Spamhaus DNSBL users who query via Cloudflare DNS need to make changes to email set-up Spamhaus Botnet Threat Update: Q3-2021 Spammer Abuse of Free Google Services Spamhaus Botnet Threat Update: Q2-2021 Emotet Email Aftermath Wordpress compromises: What's beyond the URL? You can't buy data hygiene Older News Articles: ![]() ![]() |
Our researchers have uncovered a new breed of "bulletproof" hosting. Worryingly, the set-up for cybercriminals is more cost-effective, less risky, and provides greater agility compared with that of 'conventional' bulletproof hosting, making it easier for them to host all kinds of badness. Here's what you need to know... The preferred choice of cybercriminalsFor a long time, “bulletproof” hosting was a favorite place for spammers, phishers, botnet operators, and malware authors to host their infrastructure on. Why? Well, unlike other hosting providers, bulletproof hosting companies do not act on abuse reports. As you can imagine, this is an attractive proposition for bad actors; they can rest easy, comfortable in the knowledge that their malicious infrastructure will stay online without fear of it being taken down. Taking a stand against bulletproof hosting companiesSince its founding days, well over 2 decades ago, The Spamhaus Project has identified dozens of bulletproof hosting companies, most of which were subsequently shut-down, negatively impacting the operations of cybercriminals across the globe. Some famous examples include McColo, 3FN and CB3Rob (also known as “Cyberbunker"). That last disconnect resulted in one of the most severe DDoS attacks ever seen in history, targeting ‘spamhaus.org.' More recently Maxided and 'Cyberbunker 2.0' were taken offline by various authorities. Current challenges facing traditional bulletproof hosting companiesRecently, running a bulletproof hosting company has become somewhat more difficult. There are several reasons for this, including:
Taking all the above into consideration, it’s safe to say that from a cybercriminal’s perspective, running a bulletproof hosting company isn’t always easy. But it appears there’s a new kid on the block! Earlier this year, we identified a new hosting provider, selling its bulletproof hosting services on the dark web. New modus operandi of a bulletproof hosting operationOur investigations have shown that this latest bulletproof hosting provider operates with a new “modus operandi." One that is entirely different from that which we have observed previously, with traditional, bulletproof hosting companies. To date, these types of companies have operated their own netblocks, and occasionally even their own ASs. This new operation, however, is renting virtual private servers (VPSs) at legitimate hosting providers using stolen or fake identities. They ask their customers to point their domain names to the newly registered VPSs. What then takes place is that these front-end servers act as reverse-proxy servers, forwarding the incoming traffic towards a chain of reverse proxy servers to the final backend. Almost without exception the domain names that are pointing to these newly registered VPSs have the following commonalities:
What operations are running on this hosting service?This year we have seen a large variety of cybercrime operations being hosted this way, including:
![]()
From September 2019 to the third week of december 2019, Spamhaus has identified a total of 4,117 botnet C&Cs. Of which, 3,620 were hosted on this new bulletproof hosting outfit, meaning that in terms of 'market share' related to botnet C&C activity, this organization is hosting the vast majority of them. The table below lists the top hosting providers that are being (ab)used by this new bulletproof hosting company:
What are the benefits for cybercriminals of using this new bulletproof hosting set-up?Running a bulletproof hosting company this way comes with various advantages to cybercriminals, compared to the traditional model:
How to combat this new threat?This new modus operandi works only so long as long as there are (cheap) hosting providers that have a weak or non-existent customer vetting/verification service. We have published guidelines outlining how hosting providers should vet their new customers to battle fraudulent sign-ups. Also, domain registrars must adopt a similar process to vet new domain registrants. Furthermore, registrars need to shut down registrants and resellers that have a high volume of fraudulent domain registrations. Spamhaus users are protected from spammer, phishing, and malware sites, as well as botnet C&Cs hosted by this bulletproof organization, by using the following data feeds:
It’s no great surprise that we are witnessing a change in the set-up of bulletproof hosting companies; the threat landscape is constantly evolving in the ‘cat & mouse’ game that is played out between those who wish to protect the Internet and those who wish to make illegal gains from it. However, this does, once again, highlight the fact that EVERYONE who has a stake in the Internet needs to responsibly play their part in keeping it a safe environment. |
![]() ![]() ![]() ![]() ![]() ![]() |
![]() Permanent link to this news article: Bulletproof hosting – there’s a new kid in town http://www.spamhaus.org/news/article/792/bulletproof-hosting-theres-a-new-kid-in-town ![]() |
![]() Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record. |
|