Since March 2010, and especially this month, the MarkMonitor Security Operations Center (SOC) has noticed a significant increase in the use of free web hosting services for phishing and malware attacks. Cybercriminals are using free hosting services to either host the phishing and malware sites themselves or redirect to fast-flux malicious sites.
The free hosting-fast-flux combination is particularly interesting because it indicates cybercriminals have added another, front-end layer to their fraud infrastructure for greater stealth and resilience:
- Layer 2: Constantly changing compromised PCs that serve as proxy redirectors
- Layer 3: Phish or malware domains
The SOC believes free hosting services are becoming popular with cybercriminals because these services give cybercriminals unlimited free resources to launch their attacks and to protect their expensive fast-flux infrastructures.
In addition, cybercriminals are able to set up malicious sites on free hosting services much more easily than registering malicious sites with ISPs or registrars. Typically, cybercriminals would register their malicious sites using stolen credentials. With free hosting services, cybercriminals may now open accounts and set up their malicious sites by simply using email addresses created on free email services.
MarkMonitor’s SOC believes that this new development of free hosting combined with fast-flux, especially as seen this month, suggests the tell-tale signs that something on a larger scale may occur this summer. The emergence of free hosting front-ends to fast-flux botnets may indicate that cybercriminals have been beta-testing their new attack infrastructure in recent months before a general release in August, the historical high point of phishing each year. Stay tuned!