Hacker Infrastructure and Underground Hosting 101

Ever wonder how cybercriminals host content on the internet without a takedown or an arrest, and what makes them difficult to track down? We have the answers and insights.

September 2, 2020

Cybercriminals are in the business of making money at their victims’ expense. Unfortunately, this involves a great deal of stolen money and countless victims through identity and credit card theft, encrypting user data, and the list goes on. In this article, we will go into the details on how criminal forums have adapted to the demands of the underground market and ways they have enabled easier access to underground hosting. Are you ready to dive into the underground?

Under the constant threat of being attacked by cybercriminals, you are faced with the task of strategically defending your organization with the most effective and efficient security. What if you had greater insights into the world you are defending against; it may make you think differently about your cybersecurity strategy. Here are some insights on the hacker infrastructure and underground hosting to help inform your security strategy from a cybercriminal’s perspective.

In the cybercriminal underground, a criminal’s hosting infrastructure serves as the foundation of their entire business model. It hosts anonymizing services for keeping their activities private, command-and-control (C&C) servers for taking advantage of victims’ machines, and discussion forums for communicating with other criminals. Criminal sellers provide services and infrastructures that other criminals need to execute their attacks. An underground hosting service or underground infrastructure enables threat actors to harbor cybercriminal components and carry out their malicious activities without the worry of takedowns or arrests.

Hosting Services in the Underground
Underground marketplaces have evolved and developed structures that mirror legitimate businesses. Sellers have developed detailed business models and monetization systems that accept common means of payment, such as PayPal, Mastercard, Visa, and cryptocurrencies.

As a part of this structure, the underground platforms offer a wide range of services that cater to cybercriminals, from bulletproof hosting and proxies to virtual private systems (VPS) and virtual private networks (VPNs). Interestingly, such services were also observed on forums related to online betting, online marketing, and search engine optimization (SEO). Virtually everything that exists on the surface web, exists in the underground.

We also found chat groups in online messenger platforms, like WhatsApp, that were used to advertise the services mentioned above. We could link the ads on underground forums and social networks through the same contact information provided by the sellers. This is contrary to an existing notion that criminals only sell illicit goods in the underground. They also mirror their marketplaces on the surface web.

Services Advertised to Criminal Infrastructure Buyers
Interestingly enough, we actually found official resellers of public hosting services to be advertising in underground forums. These hosting providers have legitimate clientele and advertise on the internet. However, several resellers cater to criminals in the underground, either with or without the company’s knowledge. This shouldn’t come as a surprise since criminals may also wish to avail and make use of such services that tout excellent features.

Social Media Platforms Leveraged by Criminal Sellers and Buyers
Like any business that sells goods and services to potential buyers, criminal sellers also advertise. Sellers use different platforms to promote their products and services: Chat channels, hacking forums, and social media posts. For instance, we found a hosting service advertised on the social network VK, a Russian online social media and social networking service. The service featured is positioned as suitable to carry out brute-force attacks and run mass internet scans.

Now that you have taken a step into the cybercriminal underground, you can better understand how cybercriminals operate and adjust your security strategy to match their moves. If you want to dive even deeper underground and continue to get inside a hackers’ head, read The Hacker Infrastructure and Underground Hosting: An Overview of the Cybercriminal Market.