Cybercriminals Go Shopping At Hacked Server Stores


An underground market that lets just about anyone buy hacked servers to run their own attack campaign is being fed by automated toolkits and common techniques that target weak passwords, say security researchers.

Hacked servers are used in a variety of ways, often as a dumping ground for stolen data or as part of the command-and-control infrastructure used by cybercriminals in widespread attack campaigns. A store specializing in selling ready-to-use rooted servers has been profitable and has had about 400 customers since April, according to security researchers at San Mateo, Calif.-based AlienVault Labs.

"Their customers can buy an administrator (root) account in a hacked server, and then perpetrate criminal activities from it, distribute malware, install a botnet [command and control], upload illegal contents, send spam, etc.," wrote Alberto Ortega, a security researcher at AlienVault, in his analysis of the underground business.

[Related: Mass WordPress Attacks Spread, Brute-Forcing Admin Passwords]

The site, which is protected by San Francisco-based CloudFlare, had 13 hacked servers for sale at the time the AlienVault research team investigated it. It appears to have used a number of digital currency services to accept money for use of the servers, including Costa Rica-based Liberty Reserve, which was recently shut down, as well as e-currency payment systems Perfect Money and WebMoney.

To stock the store, cybercriminals first find Internet-facing servers. They point a variety of portable port scanners at Web hosting providers to hunt down poorly protected servers, Ortega said.

The attackers then use brute force attacks on weak passwords that protect user accounts for secure shell, a common network protocol used for remote access. They also frequently target Parallels Plesk, a popular administrative control panel used to manage domains and website settings. An automated tool helps the attacker gain access once the weak password is cracked, Ortega said.

"They were not using sophisticated methods to achieve their goals," Ortega said. "This is a good example of what can happen to a server if it is not properly protected, or has a weak password."

Security experts say finding exposed servers is relatively easy because many of the servers targeted are poorly maintained, using vulnerable software and components. Craig Bartholomew, Parallels Plesk's vice president of shared hosting and control panels, told CRN in a recent interview that many people fail to pay attention to software updates issued by vendors. Installing additional software components often increases the chances of a vulnerability, Bartholomew said.

The hacked servers are extremely popular with financially motivated cybercriminals who conduct smash-and-grab-style credit card theft attacks against small and midsize businesses. Ortega said the hacked server store organization is tied to other campaigns, including sales of hacked PayPal accounts and stolen credit cards.

Administrators who manage Web servers should use stronger passwords and consider multifactor authentication. "Keep unnecessary services filtered," Ortega said. "And do not forget to monitor all communications on the network; this can help you to prevent attacks or study post-compromise forensics."

PUBLISHED JULY 1, 2013