The shady side of the web: ddos attacks on banks, card fraud and bulletproof hosting of file-sharing

At last week’s e-Crime Congress, Verisign’s iDefense intelligence unit distributed an interesting report on the dark side of the Internet. The report consisted of case studies on different subjects: ddos attacks on banks as part of a strategy for plundering online accounts, forums and online marketplaces for card fraud and bulletproof hosting for illegal material.

The first case takes us to the Russian domain. Verisign describes a criminal practice of online bank robbery, often originating from the .ru domain. Techniques for breaking into accounts are first tested on domestic banks. If successful, less well-secured banks in the Middle East are raided, or even branches of Western Banks, who generally have secured their online services better. Often, ddos-attacks are part of the strategy of targeting banks. The attack functions as a decoy: all the attention of security is directed at the ddos attack, providing the criminals with more time to empty accounts. The ddos attack is generally carried out from foreign, often Chinese command and control (C&C) servers. This adds an extra layer of complexity for law enforcers, who need to trace back the Chinese attacks to their Russian controllers. It also creates a jurisdictional barrier.

Internet fraud is by no means a Russian exclusive. The next case takes us to the German speaking countries. There are a number of forums on which information and equipment for best committing credit card fraud are traded. Also, the proceeds of carding (buying items, such as laptops with faked credit card data) are often sold on these forums. Two large examples are carders.cc and Swissfaking. These forums host an active community, having their own Twitter feed and a blog section offering tips on all kinds of actions related to carding, such as topics titled “how to spreaden”, explaining how to spread malware. The size of the community at carding.cc is estimated at around 10.000 users. Much of the communication is directed at novices, but the technical proficiency of some of the members, states the Verisign report, “makes these forums a vital point of interest for monitoring developments in the wider European carding scene”.

The third case discussed is bulletproof hosting. This refers to hosting providers that do not cooperate with takedown requests. Bulletproof hosting providers, who prefer the name “abuse immunity”, a term that attracts less attention, facilitate illegal behaviour on al large scale. Examples are spamming, illicit trade (for example in rogue pharmaceuticals), black hat hacking and file-sharing.

Such hosts come in many varieties. Most find it acceptable to host activities like malware, adware, Trojans, webspam, adult content, trade in fake medicines and pirated content. Some are willing to host any activities, up to and including extremism and child pornography. The main reason that these services are quite well spread even in countries with law enforcement suited to deal with cybercrime, is that the attention focuses on the content creators. The hosting providers are happy to shroud themselves in this fog of anonymity.

22 March 2010