Criminal Communication Infrastructure

Tuesday, July 20, 2010

Nathaniel Markowitz


This is the fourth part in series of articles derived from the a graduate research project entitled "A Preliminary Survey of the Bulletproof Hosting Landscape" (Part 1) (Part 2) (Part 3)

Authors: Nathaniel Markowitz, Jonathan Brown, Amanda Cummins, Erin Greathouse, Christopher Kanezo, David McIntire, Thomas Saly, Toby Taylor, Louis Ulrich, Desiree Williams

One of the central challenges for cyber-criminals is how to communicate with their customers while also maintaining their anonymity. There are three main types of communication utilized by Bulletproof Hosts (BPHs): advertising, introductory communication, and communication for transactions and customer support.

The primary means of advertising for BPHs seems to be posting in underground forums. Often, BPHs will begin a thread in a forum offering information about their services. These ads usually contain some sort of contact information, often falling into the category of introductory communication discussed below.

Moreover, while the information they provide varies from service to service, it frequently contains details on pricing or links to domains with pricing ranges. In some forums, there are areas dedicated to advertising hosting services.

Also, while banner ads on these forums mostly advertise other criminal services, it does not seem to have caught on for BPHs. One possible explanation is that, because BP hosting is a niche market, customers are more likely to seek out their services, obviating the need for a more visible market presence. Many of the forums that BPHs advertise in are, unsurprisingly, usually associated with other criminal activities.

Moreover, some of the larger BPH operations maintain their own websites. These domains serve many of the same basic functions as forum posts, but often contain more general information on their services and pricing. In almost every case, however, the domains did not explicitly advertise BP hosting.

The most common forms of introductory communication are email, private messaging7 (PM) on forums (out of thirty-two posts, five used PM exclusively), and various instant messaging (IM) services.

The most popular IM is ICQ (twenty-seven out of thirty-two), although Skype (eleven) and Jabber (six) are becoming more popular, likely due to their enhanced security features such as encryption of communication.

It is standard practice to use these introductory forms of communication to convey more personal contact information through which transactions are completed and customer support is offered.

In addition, some BPHs use web-based customer support systems to submit tickets. The technology underlying this system is usually an email address that automatically redirects the form to a specified location. This form of communication seems most predominantly used for communicating with existing customers.

Finally, there seem to be some trends in the evolution of advertising these services. For one thing, Russian webmasters may be shifting their focus to .cn TLDs. Jabber and Skype will likely continue to gain popularity, due to mounting suspicions that ICQ communications are increasingly monitored.

Private messages will remain popular largely due to their convenience. Advertisement may also expand more into banner ads, bringing BP hosting into the same vein as other criminal activities.

For more information:


We would like to thank the University of Pittsburgh, Graduate School of Public and International Affairs for providing the resources to make this research project possible. We would also like to thank Palantir Technologies for allowing us to use their software in our analysis. Finally, a very special thanks goes to Matt Ziemniak and Jim Beiber for their patience, help and guidance and for creating a research environment that was both enriching and enjoyable.


Possibly Related Articles:
Security Awareness
Enterprise Security Cyber Crime
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.