pixel_dreams - Fotolia
Bulletproof hosting services have become a critical component for successful cybercrime, according to a new report. And law enforcement and security firms are struggling to find ways to stop them.
The new report from security software maker Trend Micro Inc., titled Criminal Hideouts for Lease: Bulletproof Hosting Services, sheds light on bulletproof hosting services (BPHS), which host malicious sites that sell or trade malware, security exploits, and stolen personal and financial data. Although private security companies and law enforcement agencies collaborate to combat online criminals, bulletproof hosting services are a safe haven for cybercriminals to slip through and remain hidden.
"Bulletproof hosting services (BPHS) play a very crucial, yet very low-key role in cybercriminal operations," wrote Max Goncharov, senior threat analyst at Trend Micro and author of the report. "Without BPHS, many, if not all major cybercriminal groups would cease to operate."
BPHS protect cybercriminals and malicious sites by residing in countries with lax laws regarding the Internet, hacking and law enforcement jurisdiction. Many BPHS reside in countries, such as China, Bolivia, Iran and Ukraine, according to the report. The goal is to be as far away from Western law enforcement agencies as possible.
In many cases, the bulletproof hosting service provider acts as either a legitimate service provider, or the site is legitimate and is being unknowingly abused by cybercriminals. The Trend Micro report describes three different models that outline the toxicity of a site: a bulletproof server where the servers deliberately hosts malicious content, a compromised server where the provider rents out legitimate servers to malicious clients, and an exploited cloud-hosting service where the service is being used illegally. These hosting services can facilitate online cybercrimes, such as the distribution of malware, distributed denial of service (DDoS) attacks and phishing scams with the intent of stealing personal information -- including social security numbers, bank information and credit card numbers.
"These services are a key element in the infrastructure of organized crime online," said Christopher Budd, global threat communications manager at Trend Micro.
For example, the report cites Mihai Ionut Paunescu, aka "Virus", who was based in Romania and became a bulletproof hosting service provider by renting servers from legitimate Internet service providers and then reselling the servers to cybercriminals. Paunescu's BPHS was used to provide a base of operations for the malware writers behind the Gozi banking Trojan; he was arrested by Romanian authorities in 2012 and was later charged by the U.S. Department of Justice with conspiracy to commit computer intrusion, conspiracy to commit bank fraud and conspiracy to commit wire fraud.
What makes bulletproof hosting services unique is their ability to exist under the radar. They operate and appear like a legitimate service provider to avoid suspicion from law enforcement agencies. Paunescu's BPHS, Power Host, went unnoticed until Gozi infected several banks, attracting the attention of U.S. authorities. Skillfully managing a BPHS requires constant monitoring of security vendors and root-hosting service providers, because they commonly blacklist BPHS providers once they are discovered, according to the report.
But beyond blacklisting sites, security vendors have found there is little they can do to stop BPHS. Still, vendors can assist law enforcement agencies in public-private partnerships, according to Michele Kopp, director of product marketing for data security solutions at Dell. "We see part of our role as sharing our security intelligence with law enforcement and government agencies to help their efforts to take down these sites," she said.
Christopher Buddglobal threat communications manager at Trend Micro
Once that valuable security intelligence is provided, law enforcement agencies can't simply turn off the BPHS. Instead, law enforcement must find a way to physically apprehend the people running the hosting service, which is sometimes referred to as the "last mile" of law enforcement.
However, when BPHS are located in countries that deprioritize law enforcement of cybercrimes, the prosecuting country can't close the last mile. "Bulletproof service hosts are smart about their relationship with the last mile of law enforcement," Budd said. "They establish rules for their clients, so they are less of a nuisance [and less likely to get caught]."
In the case of Paunescu and Power Host, Gozi became too much of nuisance for its BPHS to remain under the radar of U.S. law enforcement. But even if a prosecuting country has enough virtual data to arrest a host, they have to cooperatively collaborate with law enforcement from other countries, which can take years. Paunescu's case, for example, required cooperation between the FBI and Romanian police. This was also the case with the takedown of Rove Digital, an Estonia-based company that appeared to be a legitimate Web hosting and advertising firm, but had conducted a lengthy cybercrime campaign behind the scenes.
In the case of Rove Digital and Paunescu's Power Host, both bulletproof hosting services were studied, monitored and researched for lengthy periods, which means the actual BPHS takedowns can take place years after the investigations begin. For example, Tend Micro first discovered Rove Digital's cybercrime efforts in 2006, but it wasn't until 2009 that law enforcement agencies in Estonia and the U.S. began investigating the hosting company. Rove Digital's sites and hosting services were finally taken down in 2011, when the investigation led to six Estonian nationals being arrested and charged with an assortment of cybercrimes.
BPHS are absolutely critical for organized cybercriminals, and without extensive research and aid from security firms and a stronger cooperation between international law enforcements, Trend Micro said, there is virtually no chance of stopping them.
"Unless major changes happen in the way international laws protect or turn a blind eye to services like these, BPHSs will continue to exist and cybercriminals will continue to thrive," the report states.
Darkode cybercrime site returns two weeks after DOJ takedown