Bulletproof Hosting Services: A cyber-criminal's dream

Whilst it's the hacks and the data breaches and the information thefts that grab the headlines, no one ever mentions the technology that lies behind them.

Where do the bad guys host their malware and where do they keep their stolen information? Like any legitimate online businesses, cybercriminals need a reliable, high availability hosting infrastructure.

A new report from TrendLabs - the research arm of security company Trend Micro - uncovers the existence of what it calls 'Bulletproof Hosting Services' (BPHSs) which provide the discreet infrastructure needed for cybercriminals to operate their business, store stolen data and hide out from anyone trying to shut them down. This often overlooked, component of cybercrime is more significant than it might seem. Without BPHSs, many cybercriminal groups would cease to operate.

Unlike regular hosts, bulletproof servers primarily host malicious content like phishing sites, pornography, fake shopping and carding sites, and command-and-control (C&C) infrastructure. They need to offer the service reliability of any ordinary host, but also need to appear as legitimate as possible so that authorities don't shut them down. Bulletproof host owners rent hardware colocation facilities in various countries to ensure the continuity of their operations. They normally rely on nations with lax information security laws to minimise the risk of them being blacklisted or shut down.

Like legitimate hosts, BPHSs offer different specialisms including torrent download sites, blackhat SEO to drive traffic to malicious sites, C&C components and spam tools. TrendLabs identifies three main delivery methods, dedicated BPH servers, compromised legitimate servers and abused cloud hosting services.

BPHSs also parallel the legitimate world in their pricing models. Low risk content can be hosted from as little as $2 a month with a dedicated high-risk content servers - based in China, Bolivia, Iran, or the Ukraine - costing $300 or more.

The best BPHSs have support teams who communicate with clients via ICQ, Jabber, or their own JavaScript-based messaging services. Like legitimate providers they use a ticketing system to prioritise and process queries.

Robert McArdle, Trend Micro's FTR Senior Manager says, "The very nature of BPHSs is that they protect malicious activity against law enforcement, giving cybercriminals the much-needed loophole to wriggle out of and escape from the clutches of both law enforcement and the security industry. That loophole unfortunately largely remains open today".