When it comes to cybercriminal infrastructure, the dark web gets the glory with its secret criminal marketplaces, illegal money laundering services and botnets as a service. Criminals also get a lot of what they need from legitimate commercial infrastructure providers.
It's not just because mainstream vendors are more reliable than people who break the law for a living. Using commercial infrastructure is also a way for cyber attackers to avoid detection and seem legit while they go about their criminal business. Here are some of the ways that criminals are using -- and abusing -- law-abiding technology infrastructure companies and service providers.
1. Stolen or legitimately purchased cloud services
Criminals can use legitimate payment methods to pay for cloud services, when they're putting them to use in ways that are not too obviously illegal.
In some cases, providers will also accept bitcoin or other anonymized payments. In other cases, there may be resellers, legitimate companies that buy services from the major cloud providers then resell them at a markup to anonymous buyers. "It's quite simple, actually," says Bryan Becker, security researcher at WhiteHat Security. "I did it with a large cloud hosting provider. You go to a website, and it looks and feels real, and you purchase the service and get access immediately. They're a legitimate reseller, but their whole business model is that you can buy hosting using bitcoin and other cryptocurrencies."
There's a legitimate use of these services, Becker says, such as when customers live in areas where they don't have banking infrastructure. Some of the resellers may be violating the cloud providers' terms of service, he adds, but they're not necessarily breaking the law.
That's not the only way that criminals can get access to legitimate cloud service providers. "Why pay for it when you can just steal it?" asks Jeff Nathan, principal researcher at security firm Exabeam. Criminals will often have access to stolen credit cards, for example, though they may have to try a lot of them before finding one that works.
Better yet is getting access to enterprise accounts, he says. "If it's a big enough company, with a lot of accounts with a cloud services provider, that gets hard to track," Nathan says. "You get to hide among all the other noise." Once criminals get access to a cloud account, they can use it to host malicious or deceptive websites, coordinate botnet traffic, host malware downloads, temporarily store stolen data, or run phishing campaigns.
If the traffic is coming from a service that a company is already using, it can often bypass security filters. Dominic Sartorio, senior vice president of products and development at security firm Protegrity, recently came across an interesting criminal use of Amazon S3 buckets. Normally, where companies get in trouble with Amazon storage buckets is in the configuration details, accidentally setting them to allow public access. In the case of one large financial services company he worked with, it was the criminals who set up the bucket.
"Their customer service and customer loyalty team was trying to do some analytics," says Sartorio. "They just did it on their own, shadow IT, not going through the right procedures." The criminals got into the middle of this, sending very convincing emails to the team members using spoofed company email addresses, giving them the address of the S3 bucket and inviting them to upload their data. The criminals had already seeded the buckets with fake but realistic-looking data. "So, the marketing team connected to the fake S3 bucket thinking it was their own and uploaded real data," he says.
The bank had several ways it could have protected against this, Sartorio says, and once they learned of the leak, they did set up additional security measures. Sartorio, whose company provides cloud data security software, recommends putting protections around the data itself. "If the data had been tokenized, then the bad actors could not have done anything with the data," he says.
Companies can also apply data loss prevention (DLP) technology to monitor for sensitive data being uploaded to cloud platforms. Anti-phishing technology could also have been used to spot the bad emails. "If you looked at the email, you might have seen it was out of character for the sender, and that it took some strange hops," he says, "but the average non-technical marketing person might not be aware of that."
2. Stolen or poorly validated certificate authorities
Users know to look for a lock symbol when visiting websites, and some browsers or corporate firewalls may block access to insecure sites altogether. This security feature relies on trusted certificates. Certificates are also used to sign software, so that users know they're not downloading viruses.
Certificate abuse is a very common attack method these days, says Peter Smith, co-founder and CEO at Edgewise Networks. "We've seen a lot of malware recently that uses legitimate certificates," he says. "In some cases, they are stolen. In other cases, they are issued because of poor validation processes."
To guard against this, he suggests that enterprises make sure that there are systems in place that require certificates have access to the latest revocation lists and properly vet the certificate issuing authorities. "Make sure that the vendors you rely on are implementing the best practices for certificates," he says.
3. Public security research and disclosures
A lot of cybersecurity information and tools are available via commercial channels, and criminals can easily get access to most of it. Criminals see the new vulnerability disclosures as soon as the security professionals do, and can make use of them immediately, says Gaurav Banga, founder and CEO at security firm Balbix. "Good guys have to go through company protocols," he says. "So, the bad guys can react faster."
Some security vendors publish ranked lists of threats. That gives the attackers a good sense of what the Fortune 500 will be defending against, he says. Then there are tools like VirusTotal and SpamHaus. They are useful for security professionals, says Banga, but also for criminals writing viruses and emails designed to bypass filters.
Criminals have had access to security tools for a long time, says Rob McDonald, VP of product management at security firm Virtru. "It's not so much that the use of these tools is new," he says, "as the sophistication of the actors using it."
CSOs have to up their game, McDonald adds. "I hate to say this, but the reality is that many organizations are still not patching their vulnerabilities as quickly as they should," he says. "Depending on how large they are, it can take weeks or months to respond." Companies need to get better at patching, he says, and, if immediate patching is not an option, take other security measures to mitigate against the risk.
4. Anonymous payment services
There are plenty of reasons for law-abiding citizens to use anonymous payment services. They might want to send gift cards to friends and family, for example. Or, when so many breaches are hitting the headlines, they might not want their real payment information to be visible to anyone else. "There are a lot of services out there, like Blur and Privay.com, that allow you to create anonymized credit cards," says Nathan.
Plus, of course, there's bitcoin. Not all commercial infrastructure providers accept payments in anonymous form. If a criminal really needs to use one of those providers and wants to pay real money instead of using stolen account credentials or stolen credit cards, then some resellers will act as middlemen.
5. "Bulletproof" proxies
Bulletproof proxy services -- also known as smart proxies -- disguise user locations. It’s the flip side of bulletproof hosting services, which protect malicious websites. The legitimate purpose is to protect activists in corrupt regimes. A semi-legitimate purpose is to allow users to evade geofencing by content providers. In practice, however, smart proxies are often used by criminals to launch attacks.
The services have access to millions or tens of millions of residential IP addresses. Security vendor Cequence Security saw an 800% in increase in the retail sector traffic coming from residential bulletproof proxies from May and July of this year. In the financial sector, there was a 518% increase and a 361% increase overall. "These networks aren't necessarily illegal because some of them have been built up by users volunteering to be part of the network," says Will Glazier, Cequence's head of threat research. "They volunteer because they basically get hoodwinked." One such network, for example, promised its users a free peer-to-peer VPN service while in reality their computers became part of the proxy botnet.
With some networks offering more than 32 million proxies, it's not likely that all the IP addresses are from willing volunteers. The rest of the botnets are filled out with infected computers, routers, smart cameras -- any network connected device on a residential IP address.
Once in place, these botnets can be used to, say, try logging in to a bank with breached usernames and passwords. "They will route a million requests through a million different IPs with a million different credential pairs," Glazier says. "The purpose is to make it look like a million different normal, average American users." The same tactic can be used for ad click fraud and other attacks where the source needs to look like an average person.
The problem has to be attacked on several fronts, says Glazier. One is for the ISPs to take down the botnets themselves, he says. "We go right to the ISP and say, 'We've seen 50,000 IP addresses of yours hitting a customer, and we think they're routers of the same type.' They can update the router and reset it."
For individual companies defending against credential stuffing and ad click fraud, the current best practice is to use behavioral analytics to spot suspicious logins. For example, a security camera does not usually need to check its bank balance at two o'clock in the morning. "Another deviation from usual behavior is the speed of the login," says Glazier. "A human can't type at a certain speed."
6. Call forwarding platforms
People are more likely to answer a phone call if the phone number looks a lot like their own, says Protegrity’s Sartorio. This is particularly true of enterprise employees, who can easily recognize a number that belongs to the company's phone exchange, or very close to it. "A lot of companies won't reserve the entire block," he added. "They might have a handful of individual phone numbers."
For example, many companies have a voice-over-IP (VOIP) system in which all the telephone numbers in a given location begin with the same area code, then the same first three digits. The main number is published on the company's website, so it's easy for the criminals to find and guess at the phone number pattern at that location.
"You have these phone center platforms that can automatically provision a new phone number and can secure phone numbers close to your targets," Sartorio says. Attackers use these services for their robocalls in an attempt to get a company employee on the line and then try to use social engineering to, say, make them think they're talking to company tech support. Protegrity has already added this topic to the security awareness training for its own employees, he says.