Friday, August 23, 2013

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Four

Continuing the "The Cost of Anonymizing a Cybercriminal's Internet Activities" series, in this post, I'll profile an API-supporting, blackhat SEO-friendly vendor of anonymization services, which is currently offering hundreds of thousands of compromised SSH accounts, HTTP/HTTPs based (compromised) proxies, and the ubiqutous for the cybercrime ecosystem, Socks 4/5 servers.

Catch up with related research on the topic:

The service is currently offering access to 180,331 compromised SSH accounts, 9597 HTTP/HTTPS proxies, and 110,185 (compromised) Socks servers located virtually all over the World.

How are they gaining access to this accounting data in the first place? Despite the overall availability of brute-forcing tools, in 2013, one of the most popular tactic for obtaining stolen/compromised accounting data, remains the practice of 'data mining' a botnet's already infected 'population' for virtually anything kind of accounting data, to be later on monetized through multiple distribution/abuse channels.

Sample screenshots of the anonymization service:




Sample screenshots of the API in action:




What's also worth emphasizing on is the fact, that, the service is not just targeting potential cybercriminals wanting to anonymize their Internet activities, but also, black hat SEO monetizers, who now have access to hundreds of thousands of fresh Socks servers for the purpose of abusing them on their way to monetize their fraudulent/malicious campaigns.

Vertical market integration, or the one-stop-shop market model, has always been an inseparable part of the cybercrime ecosystem, as it increases the probability that a cybercriminal's one-stop-shop would immediately occupy a larger market share within the cybercrime ecosystem, consequently resulting in more revenue from the facilitation of fraudulent and malicious activity.

Some of the most popular instances of this trendy business concept applied by cybercriminals internationally, include but are not limited to the following real-life underground market propositions:
  • A vendor of mobile spamming services would not only offer the actual spamming process, but also, offer harvested mobile mobile numbers as a value-added service, next to the on demand harvesting of mobile numbers for any given geographical region.
  • A vendor of managed spam services, would also offer the option to buy segmented and geolocated, as well as often validated, email addresses, with the ability to perform custom harvesting for any given country
  • A vendor of managed iFraming platform would also offer access to hijacked traffic to be automatically converted to malware-infected hosts through the platform, with additional services including as for instance, managed crypting of the iFrame/malicious script in real-time
  • An author of Web malware exploitation kit, would be also offering managed iFrame/script crypting services next to bulletproof hosting in case the customer desires those
The cost of anonymizing a cybercriminal's Internet activities in this particular case? The price is shaped based on the anonymization method of choice.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.