The free hosting-fast-flux combination is particularly interesting because it indicates cybercriminals have added another, front-end layer to their fraud infrastructure for greater stealth and resilience:
- Layer 2: Constantly changing compromised PCs that serve as proxy redirectors
- Layer 3: Phish or malware domains
The SOC believes free hosting services are becoming popular with cybercriminals because these services give cybercriminals unlimited free resources to launch their attacks and to protect their expensive fast-flux infrastructures.
In addition, cybercriminals are able to set up malicious sites on free hosting services much more easily than registering malicious sites with ISPs or registrars. Typically, cybercriminals would register their malicious sites using stolen credentials. With free hosting services, cybercriminals may now open accounts and set up their malicious sites by simply using email addresses created on free email services.
MarkMonitor’s SOC believes that this new development of free hosting combined with fast-flux, especially as seen this month, suggests the tell-tale signs that something on a larger scale may occur this summer. The emergence of free hosting front-ends to fast-flux botnets may indicate that cybercriminals have been beta-testing their new attack infrastructure in recent months before a general release in August, the historical high point of phishing each year. Stay tuned …