November 9, 2010

Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called “bulletproof hosting” providers, mini-ISPs that specialize in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies.

Until recently, you more or less had gain access to and lurk on the right underground forums to be able to rent services from bulletproof hosting providers. These days, it’s becoming easier to find these badware havens advertising out in the open. Last week, I traced the activities of one particular service frequented by criminals back to a bulletproof provider whose slogan says it all: “You’ll Never Get Any Abuse From Us!

Of course, just how insulated this particular provider’s services are and how much illicit activity you can get away with while using them depends largely on how much you’re willing to shell out each month. For example, an entry level “default bulletproof server” allows customers to host things like rogue online pharmacies, replica, gambling, and MP3 sites for $270 per month. But this service level bars customers from hosting nastier content, such as malware, spyware, adware, exploits, viruses, and phishing sites.

Upgrade to the “Super BulletProof Virtual Dedicated Servers in China” — and pay almost $500 a month — and the only activities that are prohibited are sending spam and hosting any type of porn.

The provider pictured here also upsells potential customers by offering a variety of handy add-on services. For extra coin each month, one can rent a bulletproof server with a license for XRumer, a black hat search engine manipulation tool that automates the registration of new Web forum accounts and the spamming of links on those forums, all in a bid to boost the search engine rankings of the spamvertized site. If you operate a blog and have had to deal with what appear to be automated, link-filled comments, chances are good that XRumer was involved in some way.

For a $20 one-time setup fee, your server will come pre-packaged with links for forums that XRumer is able to spam, including thousands of Web pages in top-level domains that are often given more ranking weight by search engines, such as .edu, .gov and .mil.


Have you seen:

Earn a Diploma from Scam U…Since the dawn of the Internet, tutorials showing would-be scammers how to fleece others have been available online. But for novices who can’t be bothered to scour the Net for these far flung but free resources, the tricks of the trade now can be learned through the equivalent of community college classes in e-thievery, or or via intensive, one-on-one online apprenticeships.


19 thoughts on “Body Armor for Bad Web Sites

  1. Yuri

    My 2 cents (from various sources on the Net).
    – to get a list of ads for such servers do a search in Google “абузоустойчивый сервер” , then use Google translate (if you happen not to know Russian yet)
    – Satellite service is abuse-proof domain registration. For those hosting malware/warez/etc content it is even more important as hosting can be changed quite easily, while domain once it was shut down can not be revived promptly if at all. For this China was once also the malicious domains heaven, but recently the rules of domain registration in .cn were changed to more strict ones (China goverment decided to get involved in it) so people look elsewhere. More and more such ads are talking about hosting/registration in Iran
    – Most of such ads are rip-offs in various disguises (plain fake , hosting that disappears after the 1st payment and such)
    – real sellers are to be found mostly on ICQ chat rooms (most popular software in Russian speaking countries)
    – Ads for these services are almost absent in English, so look at the local communities – refresh your Polish,Hungarian,Romanian,Swedish etc
    – As long as attacks coming from such servers are targeted against foreign entities they are ok with that (No wonder most of attacks are coming from behind Great firewall of China)
    – Ads about “absolutely bulletproof hosting” is rubbish. Many times the hoster ignores abuse complains just because they have troubles corresponding in English not because they are so evil, but write to them in their native language and you get a fast response. And in most cases if complain is supported by dedicated actions and resources it will be acted upon. I am myself work for ISP (no, not Chinese) and saw complains in really bad English (from US), that seem to be composed by a 5-year old kid with no substance in it (no logs, no samples , no nothing) that are funny but that is it to them.
    – General observation – once run by amateurs now Internet undeground world more and more takes on appearance of the well run businesses and enterprises (with newsletter maillists, feedback,QA,even installments plans ..) so more interesting stuff is to come .

  2. F-3000

    A note for people who use phpBB-forum:

    Update the forum software.

    I’m “extra-hand” volunteer in one (small) software company’s forum with Admin rights, and I was “promoted” when the forum was starting to get disturbing amounts of spam. The fast growing spam-wave pretty much died, once the “true admin” updated the forum software from 2.x to 3 (after I had separately requested for it), and we did set up some anti-bot settings.

    When I did set up Forge’s forum without paying attention to anti-bot settings, my forum began gathering spam, even the forum has been quite unknown and rather unused (although being #1 result in Google search might have some meaning?). Merely tweaking couple settings and keeping the source up to date has kept my forum spam-free. I personally enjoy of the “demand post approval from newly registered accounts” (which turns off after first approved post).

  3. Espen Thunold

    Browsing the Citrix website today, I did notice something familiar, namely the exact same illustration used by BulletProof Web.

    The illustration with the guy and the drawing is ripped from Citrix eDocs, take a look here: If you dont’ see it the first time, hit refresh to replace the banner.

  4. Simon

    Xrumer, is an antique, it may have been updated but virtually every self respecting site will have captchas and email conformations and such. You can find free Xrumer but it won’t be the latest and it will come with malware, though you can out maneuver the malware sometimes, or just accept it on some test computer, not VM….
    It cannot really be used to ruin a web-site if you take even minimum precaution. I remember seeing forums full of spam from this, usually not updated free forum software, v-bulletin will not be effected by this as far as I know. So the bad guys create their own forums open to exploit from Xrumer, it results is higher search ratings, but when a target sees a forum full of obvious spams…this isn’t a really effective tactic.

    It can work with dating sites on like craigslist, but this has also been rendered pretty ineffective.

  5. Surf the Web Anonymously

    Brian did you know that sophos now has a free Mac OS X antivirus program? Granted they mostly are interested in protecting windoze users, i.e. preventing the inadvertent from macs unknowingly to spread pc trojans malware, viruses, etc that 99.99% affect pc windows computer users….but also warning mac users of phishing etc.

    so in addition to ClamXAV which is also free they now have a free mac version of the makers of sophos panda anti virus

    just fyi/ & maybe you can write about it and maybe compare the few mac anti-virus security protection programs.

    Your site is excellent BTW. Don’t know why Washington Post was so stupid to not keep you esp. since these topics about computer and online security are more important and critical than ever and will be growing in value and importance going forward.

    Their loss, internet community’s gain. Keep on rockin’ dude!

  6. Brad

    Love the site, Brian. But would you please alter the CSS for body text and comment text so that they are left-justified, not fill-justified? This will look better, and read more easily. Many thanks; keep up the good work.

      1. F-3000

        In case someone’s wondering if the script’s safe, it’s very simple (a single line), and safe.

        But what that “!important” means?

          1. F-3000

            Thanks for the reply, and useful info. Yep, it was in wrong spot, but now it’s as supposed to.

  7. Oracle Tech

    In regards to malware and spam hosters, I say take off and nuke them from orbit. It’s the only way to be sure.

  8. Davi Ottenheimer

    I’m still stuck at the start when you say

    “the only activities that are prohibited are sending spam and hosting any type of porn”

    and then

    “For extra coin each month, one can rent a bulletproof server…that automates the registration of new Web forum accounts and the spamming of links on those forums”

    So you can send not-spam spam, but not spam?

    Why do they say they prohibit spam anyway if they are bullet*proof*?

    1. BrianKrebs Post author

      I believe what they’re saying is you can do blogspam — which is just a tool that automates registration and placement of links as comments, which is different from wholesale sending e-mail spam off the same boxes. Clearer?

    2. AlphaCentauri

      There are two issues with email spam — the server which is the source of the email, and the server which is hosting the websites advertised in the email. It is very common for hosting services to make that distinction in their terms of service. Even the scammiest service may object to you using their IP range to actually mail spam, because it gets them blocklisted. Long after you’re gone, subsequent customers with that IP range will be unable to get emails delivered.

  9. Josefa Bonner

    bulletproof services like this would be great for whistleblowers, activists in an oppression regime trying to leak info (pictures, videos, stories, etc), and others who need to host sensitive content that powerful adversaries may not want published.

  10. richtea

    Hi, guys, no doubt you have interesting things to say, but I shall not be reading here. I simply refuse to read any site delivering text in the oh-so-fashionable grey. If it is not black on white or any other REASONABLE combination of colors, you lose me.

Comments are closed.