The Russian security firm Kaspersky Labs reported last week that they had found a dark web marketplace selling access to servers – possibly yours and mine – for as little as $6 and as much as $6,000.
The key benefit of these servers is that since they are not actually the hacker’s servers, if they are able to use them in a way that forwards thier illegal business, it is going to be hard to trace things back to them. Obviously, if they access that server (to administrate it) from their Comcast Internet connection in their living room, the odds of them getting caught goes up. A lot!
The web site, xDedic, brokers access to these hacked servers. As of last week, Kaspersky had a list of around 70,000 servers that were available.
This week, a hundred thousand servers got added to that list, making the pool around 170,000.
In the grand scheme of things 170,000 servers is not that many, but xDedic is just one web site.
Interestingly, after the first list was released, Brazil and China were the top two countries for available servers. After this new list came out this week, the top two countries are the U.S. and the U.K. In some way, that makes sense, because there are a lot more servers here and the quality of the servers (in terms of performance and capacity) is likely better.
These servers are likely some of the ones used to promote male enhancement drugs and other spam, as well as to deliver malware.
From a business standpoint, if the volume of malicious content being served up by these servers is sufficient, it will gain the attention of groups like the Electronic Crimes Task Force run by the U.S. Secret Service and you may get a knock on the door from the men in black.
While there is some discussion on the ‘net about whether the second list – the one that added the 100,000 additional servers – is legit, no one seems to be arguing whether the first list of 70,000 servers is legit. And at least some news sources are now saying that second list is, in fact, real.
And, as servers are sold in this forum, their IP address comes off the list, so the 70,000 or 170,000 number may represent only servers that have not been sold yet. How many servers churn through that web site in a month is unclear.
When hackers use these servers, it is their goal that you can still use it as well. That gives them cover, so the smart ones will work real hard to make sure that they don’t interrupt your work. This means that your server could be on the list and you would not even know it. Not something that any reputable business wants to happen. How many of these web sites there are selling hijacked access is also unknown. Based on spam that I see, it is probably a large number.
Information for this post came from Computerworld.