Rogue states play host to outlaw servers

Criminals were already moving in to take advantage of the chaos in Syria when the civil war broke out. Even as the unrest increased and the country’s relationship with the west became increasingly strained, a Russian-speaking group was setting up servers that could offer so-called “bulletproof” hosting services to online crooks.

Bulletproof hosting — so called because operators are beyond the reach of most law enforcers — enables cyber crime. It is the technological equivalent of a physical hide-out. Just as a gang needs a place to cache weapons and stolen goods, cyber criminals need internet-connected servers on which they can keep the malicious software they use for attacks, fake internet sites used for scams and the data they have stolen. Offering these hosting services to spammers, pornographers, data thieves and fake shopping sites has become an underworld business niche.

“We have seen the emergence of a full-service cyber crime model,” says Bharat Mistry, cyber security consultant at Trend Micro, a security research company, which has published a report on bulletproof hosting.

He says: “It is easy for even a novice to get into this. You can rent the malware, get a support contract, and even a dashboard for monitoring an attack.”

The cost of renting a dedicated bulletproof server is about $70 per month according to Trend Micro’s research. Often the deal will include customer support services — such as a helpline number to call if things go wrong — as clients would have with a regular hosting arrangement. Alternatively, a server can be rented to mount a single attack for $5 a time.

Countries such as Syria, whose relations with the rest of the world have broken down, attract bulletproof hosts as it is hard for anyone to close their services down. IntelCrawler, a Los Angeles-based security start-up that specialises in profiling the cyber criminal underworld and malicious networks, discovered the Russian-language hosting business in Syria not long after the start of the civil war. Panama, Lebanon, Ukraine, Russia, and Iran are among the countries that Trend Micro highlights as being popular with bulletproof hosting businesses.

“International co-operation is non-existent with countries like Panama and Lebanon. And often there are no laws that allow you to take action,” says James Aquilina, executive managing director at Stroz Friedberg, a computer forensics company. In many countries it is not, for example, illegal to send spam, or unsolicited email messages.

Bulletproof hosting is an often overlooked part of cyber crime, partly because these services are so difficult to track and shut down. There have been a few successes. In 2008 a hosting company called McColo stopped operating after two internet service providers cut off its access to the internet. Security companies estimated that the move resulted in global spam levels dropping by at least two-thirds. But such success stories are relatively rare.

Richard Cox, chief information officer at the Spamhaus Project, which tracks senders of spam, says his organisation is often able to trace malicious messages back to Russia and knows the identities of the criminals involved. Yet it is unable to act further. Cross-border co-operation with the Russian police has grown ever more difficult, he adds, following the UK inquiry into the murder of ex-KGB agent Alexander Litvinenko, which has heightened political tensions.

As well as choosing their geography carefully, bulletproof hosts use other techniques to make tracking difficult. They may, for example, hijack the servers of legitimate businesses, piggybacking on them to send out their malware. Sending out malicious messages at the same time as legitimate ones makes them harder to spot.

Bulletproof hosts often move operational bases quickly in order to escape detection. A 2014 study by Blue Coat Systems, a business assurance company, found that about 71 per cent of the websites around the world exist for less than 24 hours. A large portion of these “one-day wonders” were malicious sites, used to launch hacking attacks. By appearing and disappearing quickly they were able to escape detection by any filters and blacklists that companies use for protection.

“The rapid building up and tearing down of new and unknown sites destabilises many existing security controls,” wrote Tim van der Horst, senior threat researcher for Blue Coat Systems, in a note about the findings.

“You are constantly chasing the flag, because it is always changing,” says Laurance Dine, head of the Europe, Middle East and Africa forensics team at Verizon, a telecoms company. “An internet service company might receive complaints about malicious messages coming from a particular account, investigate and decide to terminate the account. Ten minutes later the same activities pop up under a new site.”

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.