Hideouts for Lease: The Silent Role of Bulletproof Hosting Services in Cybercriminal Operations

What do LeaseWeb, Galkahost, and Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS).

Simply put, BPHS is any “hosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure.” If I were to compare them with real-life crime rings, BPHS would be those hideouts criminals use to perform their illegal activities in private. In the context of cybercrime, it is very common to belittle the role of BPHSs in cybercriminal operations and instead focus on revealing the bad guys’ identities or discussing their modus operandi. But the truth is: BPHSs are crucial. They are so crucial, in fact, that many major cybercriminal groups would not be able to operate without them.

So why not just shut them down? Well, the thing with BPHS takedowns is that they are easier said than done.

In my paper, “Criminal Hideouts for Lease: Bulletproof Hosting Services”, I cite several factors that make BPHSs an imposing challenge for security and law enforcement organizations. For one, many BPHS providers operate under the guise of legitimate and legal hosting providers. This makes tracking them a lot trickier.

Running BPHS as a Business

BPHS providers usually choose one of three business models when building their services, as follows:

Model 1: Dedicated bulletproof servers
BPHS providers create a convincing business front to avoid suspicion from law enforcement. They usually cater to customers who need to host content that may be considered illegal in certain countries.

Model 2: Compromised dedicated servers
BPHS providers choose to compromise dedicated servers and rent these out to parties who wish to host malicious content.

Model 3: Abused cloud-hosting services
Cybercriminals abuse cloud-hosting services like Amazon Web Services (AWS), Hetzner, OVH, and LeaseWeb to host C&C servers or drop stolen data, among other malicious purposes.

It is important for these BPHS providers to be able to retain their name or domain for a long time to show how adept they are in keeping customers’ activities confidential, particularly from security researchers and law enforcers. Longtime providers are usually kept afloat by their capability to provide immediate technical support, quickly migrate in case they’re blacklisted, protect from DDoS attacks, and advertise cleverly to reach their specific clientele.

Figure 1. Sample of a BPHS provider with expensive offerings

Pricing for BPHSs depends on the risk involved in hosting certain content. Providers in several countries offer as low as US$2 per month for low-risk content, while servers based in China, Bolivia, Iran, and the Ukraine can go as high as US$300 per month for critical infrastructure projects or high-risk content. (You can find a more detailed description of the risk ratings or the toxicity of BPHS servers in the paper.)

Takedown Impossible

Another challenge for security and law enforcement organizations is the fact that these services operate in locations that do not heavily police cybercrime. BPHSs are often based in countries with lax regulations and laws that penalize and protect against cybercriminal activities.

We looked at several BPHS providers in different countries and noted the types of malicious content they frequently host. Do note that this list is not exhaustive. There are many more bulletproof hosts that operate in other countries not cited here.

Figure 2. Malicious content found in BPHS servers in certain countries

My FTR colleague, Bob McArdle, sums up the challenges BPHSs pose pretty well: “The very nature of BPHSs is that they protect malicious activity against law enforcement, giving cybercriminals the much-needed loophole to wriggle out of and escape from the clutches of both law enforcement and the security industry. That loophole unfortunately largely remains open today.”

The paper contains more insights on BPHSs as well as a system of classifying them to help out my fellow security researchers and law enforcements in their own investigations.

Click on the thumbnail below to read the paper “Criminal Hideouts for Lease: Bulletproof Hosting Services.”