COMMSEC: Privacy and Protection for Criminals: Behaviors and Patterns of Rogue Hosting Providers


Hosting providers, while a critical enabler of online businesses globally, are used to carry out ransomware, phishing, and other attacks by cybercriminals. For all the legitimate hosting providers in the world, providing IT services to ordinary businesses, abuse of hosting providers is widespread. The problem of legitimate-but-abused and bulletproof hosters is a problem that exists in any country that is a nexus of internet hosting. Therefore, this talk is of particular relevance and interest to The Netherlands, which hosts the Amsterdam Internet Exchange and is home to major hosting infrastructures.

Hosters are leveraged for a variety of criminal operations. We see

  1. C2 servers
  2. Credit card dump shops
  3. Sites like AV check for criminals to test new programs

These activities may be set up on shared servers – hosting content alongside other businesses as well or through dedicated machines that the criminals administer. And the abuse is significant, despite efforts from registrars, LE, and researchers to combat the problem. The challenge is similar to ideas like: criminals abuse encryption, but we cannot get rid of encryption. How do we manage it?

Focusing threat intelligence efforts on these services and the actors that provide them is an important step to identifying and removing illegal and malicious content on the Internet. We bring together threat intelligence from the network and field to shed light on criminal hosting providers’ methods.

Our work leverages the standard cyber threat intelligence cycle, involving:

  • Identifying organizational stakeholders (and their roles/responsibilities)
  • Collection
  • Processing and exploitation
  • Analysis and production
  • Dissemination

Given that the Netherlands is a major country in terms of IT infrastructure and internet transit, we wanted to focus on the Dutch hosting space, collect hosting providers’ domains and IP ranges using large-scale threat intelligence collection techniques. The Dutch fast and stable Internet connections and good services attract not only bona fide parties, but also less bona fide parties. Dutch ICT facilities have been used for distributing malware, hosting child pornography, sending phishing and spam messages as well as housing of illegal hacker forums and temporarily storing stolen data in drop zones in Dutch rogue hosting companies.

The challenge of addressing abused hosting providers requires a multi-layered approach, working from the tactical to the strategic level. We investigate solutions for a variety of stakeholders across these levels (government policy makers at the strategic level, law enforcement at the operational level, and technical teams that secure and defend networks at the tactical level.

From a technical perspective we use proven threat intelligence collection, analysis and correlation techniques to shed light on behaviors and patterns of bulletproof and anonymous offshore hosting.

Location: Track 4 / CommSec Date: April 12, 2018 Time: 12:15 pm - 12:45 pm Sarah Brown Dhia Mahjoub