OAKLAND–For years, bulletproof hosting providers have been the bane of the Internet. They serve as havens for malware, cybercrime operations, and child exploitation rings, while dodging law enforcement by moving their operations early and often. But security researchers and cybercrime investigators are beginning to make some headway in the fight against these operators, through cooperation and quick action.
Like legitimate businesses, cybercrime groups need infrastructure and support in order to operate. For many of them, bulletproof hosting providers–which ask few questions about content and will often run interference with law enforcement agencies–are the foundation of their activities. Ransomware gangs, malware crews, and many other species of cybercriminals rely on these hosting providers to keep the servers they use for their operations up and running. Security researchers and cybercrime investigators know who most of these providers are and track their activities closely, but getting them to take down customers’ servers with illegal content is no easy task.
“Hosters will put different customers in different countries based on the type of content they have. If it’s porn, they use Netherlands. Malware is Ukraine. And they make the life of law enforcement very difficult by being uncooperative,” Dhia Mahjoub, a principal engineer at OpenDNS Research Labs, said during a talk at the Enigma conference here Tuesday.
“Bad guys have an M.O. and if you track that very closely, you can help law enforcement.”
Some bulletproof providers will give their customers advice on how to deal with requests from law enforcement, and will give them several days to move or change their operations before responding to police. And, providers also typically spread their IP space across several ASN systems and multiple countries, which causes issues for law enforcement. Mahjoub said that remains one of the larger challenges in dealing with cybercrime operations.
“Cross-jurisdictional issues are a big challenge. Hosters have very little incentive to change anything. If they take content down, that affects their business,” he said.
“The vicious thing about these guys is that they spread all across the web and stay under certain thresholds so we won’t notice them. Having friends a certain ISP or hosting company is very useful.”
Researchers and cybercrime investigators have had some successes in recent years going after these providers, most notably with the McColo takedown several years ago, and more recently with the operation against RBN. Mahjoub said that takedowns require a delicate mix of technical work and human relationships to be effective.
“If you want to take a poster down, we face challenges. You have to prove the content is bad, prove that there’s intent,” he said. “As researchers, if we give them evidence on a repetitive basis, they will see that it’s a pattern. Bad guys have an M.O. and if you track that very closely, you can help law enforcement. You shouldn’t give up.”