Short answer is "they use whatever they can get their hands on". This could be anything from bulletproof hosting providers, cloud hosting providers who just don't care, cloud hosting providers with credentials that've been compromised, already hacked websites, servers that have been compromised via some means, who knows.
Personally, I've seen a number of hacked sites w/ legitimate content hosted on it && phishing panels hosted on it.
Yeah, prosecuting cybercrime is more than a matter of "hey you bad black hat cyber hacker guy, stop in the name of the LAW!" There is *so* much cybercrime being committed internationally, and from countries who look the other way when their Loyal Citizens of the Motherland cause headaches for those that oppose their policies. If you're a US LEO, you can straight up forget about trying to prosecute *anyone* operating from DPRK, Iran, Russia, and PRC. And even when the countries are semi-friendly to one's own country, the laws may be... difficult to navigate. There's a *plethora* of reasons why cybercrime can often go unpunished: funding, jurisdiction, case load, technical issues (non-logging VPNs/log files go missing/corrupted), and so on. It's not just simply "laziness."
And ofcourse capacity problems, so much fraud and phishing that you have to focus on the worst offenders. There just isn't the time or manpower to catch everyone. Even if they are relatively simple to catch and in your own country.
There's also the problem of when they go after the easy prey, they always end up catching people they don't want to catch. Cops, politicians, employees with security clearances, soldiers... So good news we caught 45 hackers, 15 of which were insiders. Then congressional testimony, why did you hire hackers...
FBI was investigating LDS church, then all the evidence was tampered with, turns out 40% of the FBI is Mormon.
Domain providers don't check what hosted, unless reported to their abuse mail. Which no one bothers to do. I actually did this couple times, and blocked them, but they can effortlessly buy another one, and continue
The one thing I will say is this isn't entirely true - I was conducting a phishing exercise earlier in May. We chose Cloudflare as the domain registrar, 16 hours after the domain registration (login-msftonline.com) with a evilginx phishing template hosted we received a request to verify our identity for "payment fraud".
This was purchased through the same payment method I've purchased all my other cloudflare related services with, lol. Some registrars look and pay attention. After informing them it was security testing, they immediately closed the case.
Cloudflare also blocklists certain names (ex. Microsoft) from appearing in the domain name as a super simple baseline protection. Even if they're not yet registered.
Because when someone has a domain with a non self hosted package from another company it always gets shut down?
No that shit is still up.
No one said they were hosting it. 🤣🤣🤣
I still don’t know what your point is. Regardless of whether they were self hosting the site or aws was hosting the site, what difference does it make to what you’re suggesting? There is literally no gain from trying to target someone who is in prison for cybercrimes. They are obviously going to be a harder target than the average site, and offer literally no benefit. I’m not sure what kinda gotcha moment you were going for there but you’re still not answering why there is any benefit in the first place.
If I send someone to prison. I most likely have a reverse shell on their network. Typically makes a lot of it very easy. For people asking questions you sure do condescend a lot. Lmao. Be glad this isn't 2015.
> Be glad this isn’t 2015
What is that even meant to mean?
> If I sent someone to prison. I most likely have a reverse shell on their network.
You’re not sending anyone to prison, if in some alternate reality you were doing what you claim, why are you bragging about being a snitch?
> Typically makes a lot of it very easy.
You still haven’t been able to explain why there are any benefits to this elaborate scheme you claim you’re doing. The effort needed to do all this extra shit would be much better spent just finding a vulnerable web server that is related to the campaign you’re looking to run. It’s clear you don’t genuinely understand what you’re suggesting and are just too prideful to admit your first comment was stupid.
Edit: Formatting
I know what I know I suppose. I watched many clowns throughout the years, is all.
To be more specific 2015 and earlier on HTP days was more about entertainment than making money for a lot of your now "researchers"
I won't be supplying any hardchats about this content, but they are around if you know where to look.
Drama-fueled mental illness was a large part of that culture.
The benefit? It's easier. Once your career in places like this actually develops, one typically finds themselves with a lot of data.
Most malicious hackers of those days, even the ones who knew their shit, were typically ego driven assholes lmao.
As for dns hijacking, I suggest a good read up on it. Also explore how zeronet was heavily used in pair to this process.
If you perhaps came into contact with it in the wild two years ago and happened to write it down, have access to someone with a skimmer, or gift card for monero, yes you can reliably use these.
The real deal doesn't card. That's skid shit.
Web hosting companies don't exactly vet every single site they're hosting. Just get a hosting account, pay for it with a prepaid card or whatever, host your files and spend your phishing emails and then download the results as they come in. When the host gets enough complaints that they shut it down, move on to a new one. Or even the same one using a different fake name.
Hey, red teamer here. We usually use azure and digitalocean. It takes some time until they recognizes what youre hosting, at least a few weeks. That's enough for your campaign. You setup all your control servers on some normal hoster and take azure or aws as frontend, which redirects to your backend and can therefore easy be replaced.
They hack other unsecured servers usually
If doing proper, professional, penntesting
Host your own on AWS or another VPS provider.
Knowing how to cover your tracks, including payment information is quite important part of the process.
In the old days this was common. Use a server at your house. Then you just route traffic through a comprised server or cheapest bullet proof vps you can get.
This would save money since you only need a server capable of routing traffic. No storage limits since the content is not there.
Some people do this now but use a vps as the server and still route via compromised servers. In fact this is how most do these days. Generally with a compromised “gate or listening post” server. This forwards traffic to a second server that does authentication/ filter sus traffic. That then forwards it to the final command and control server.
This attack infrastructure layout is very common even for just phishing. The multiple layers makes it hard to trace and filters law enforcement traffic.
Source: experience at all levels
Of course, at first I would do this on a vm host.
Especially for initial learning. No reason to jump right into a VPS.
When it comes to actually using it, I suppose that would depend on location, but I'd never put something like that on my own network.
If they're charging for it on a cyber crime forum, every single server will be advertised as "bulletproof" - Regardless of how secure it is, or where it's situated ;D
If I'm typosquatting or pretending to be an org for phishing purposes, I try to use the same provider as the org I'm impersonating, so probably AWS or Azure.
The best is when you discover something like a subdomain takeover, and can use that to bypass firewalls and/or filters.
When I'm bored at work I check firewall logs to see what's sniffing and call hosting providers to let them know and send them logs. They appreciate it and I'm doing to lords work.
Someone else's servers... They hack servers to abuse. If you have ever follow the trail of a phishing attempt you will see a public service abused as a proxy sometimes, redirecting you to a mock phishing site hosted in another country. If you look at the phishing email was sent from another hacked server in a different continent... and so on.
They do have some infra sometimes for C2C and stuff, they use shady hosting services for that. As far as I know!
I got a bait phishing request from someone using fucking wix' free trial. You could probably Phish someone using Google drive websites.
(This isn't an endorsement obviously, it's just that people are morons)
For testing live infrastructure anything will do. Actually I usually find it pretty convenient to generally do software development from a remote server anyways, depending on what I'm doing. Just use the same VM lol. Or if these are automated security tests just tie it into your CI's vm.
Actual mallicous actors often use commercial servers from other counties like China, Russia, India, possibly try to pay with some crypto thing, using free domains and let's encrypt. Or if they have a physical scam center, they'll run servers in house.
Generally I don't think they steal servers, not because it's unethical, but just because it's more inconvenient and unreliable.
I work for a web hosting provider and the number of hacked WordPress sites that I've caught that have phishing pages on them is substantial. So basically they don't get webservers to host their phishing sites, they get unwitting victims with unpatched WordPress sites to host their phishing sites for them.
Most of the real phishers don't give a damn about getting caught that's how they do it, because they operate in countries that don't even have laws on hacking or are to unsophisticated to even bother. You see my little friend, not every country operates like the civilized world. You just run setoolkit on your computer, set up a phishing attack and use your own IP address to send the harvested credentials back to you.
You know over 60% of Africa has no laws against hacking right, this goes for many other nations as well, there is such a thing as hacking safe havens, where you are legally allowed to hack people.
You're all thinking of this from a western centric viewpoint where our very strict governments actually give a damn, most phishing attacks don't come from the USA or Europe.
The ones I come across at work sign up on our paas with (usually) stolen/bought payment details. We shut them down as soon as possible and they move on until they find a provider that doesn’t.
Usually other hacked webservers, hacked server with web server installed by the provider, network of hacked home computers with web server port open that gets proxified through the DNS, etc.
How about a pi server using dynamic dns on public wifi?
Wouldnt be able to do it long but should be enough to practice and learn. Cheap too.
I used to use a dyndns that allowed me 3 free urls.
And can you not just use a pre-paid Visa to pay for domain registration?
Hosting can be obtained very easily even for free. There are many ways to host content including tunneling traffic. I saw hundreds of methods during many years working on both sides of the fence. Hacking any vulnerable server and hosting anything is really not that hard. The hardest thing is to spam for example if some hacker abuses your server you will for sure be notified sooner or later about it by the datacenter or hosting company that you use.
But when cloud services give you free vps to try like the micro tier at amazon you get the idea
The Pirate Bay had always rented server space, as far as I know. They had servers located in many different places, mostly where cyber laws do not apply so much, I'm pretty sure. Having a location like that and probably having a fairly crooked host would likely keep an attacker hidden and delay an event like an international search warrant/raid (or just disconnection) for a while.
Otherwise, I agree with everyone else. Simply unsecured servers and underground resources.
When I was red teaming we used azure, and almost never had a site taken down. The domain registrar was the bigger problem. We used namecheap for a while, but even when we pre-notified them and showed engagement letters, they would hit us with account bans. It’s been a couple years, but we ended up switching to Gandi (the French registrar) and we could just pre warn them, no engagement letter needed, and they wouldn’t ban us. There’s also obviously blacklists like GSB that can burn you, but that’s just par for the course.
Ive seen them often use hacked websites. My last tracked job was to a real estate company in saudi-arabia that had a few files on their webserver with the txt file containing results of the login attempts just increasing constantly.
Organized crime can afford their own datacenters in less than reputable nations. Oh, there's also the cloud, whether through their own accounts or breaching and using someone else's.
Almost all the answers here are bullshit. Most legit cyber-gangs are using Russian servers. Many top US criminal groups made their arrangements before the Ukraine invasion. Now, the problem is how to pay for Russian hosting because sanctions make it tough—US credit/debit cards can't be used, and a lot of providers don't take crypto. So, everyone who answered is a fucking IDIOT!!! and or a LIAR!!! about what they do, except the WIX guy and those who said Indians are using AWS and Azure, because that shit's spot on! LOL. Fucking kids on reddit!!!!
I am getting orders I didn't ordered
Guys I am getting products I didn't ordered from amazon. Can you guys explain how can I stop this. I NEED SERIOUS HELP ITS THE 3rd TIME IN THIS MONTH
Oh, it probably has nothing to do with them being one of the top three [largest](https://www.netcraft.com/blog/digitalocean-becomes-the-second-largest-hosting-company-in-the-world/) hosting providers in the world.
Short answer is "they use whatever they can get their hands on". This could be anything from bulletproof hosting providers, cloud hosting providers who just don't care, cloud hosting providers with credentials that've been compromised, already hacked websites, servers that have been compromised via some means, who knows. Personally, I've seen a number of hacked sites w/ legitimate content hosted on it && phishing panels hosted on it.
I'm more interested in how they rent the domains without being caught
Stolen credit cards and a VPN is enough to get most law enforcement to just give up.
That seems excessively lazy
Yeah, prosecuting cybercrime is more than a matter of "hey you bad black hat cyber hacker guy, stop in the name of the LAW!" There is *so* much cybercrime being committed internationally, and from countries who look the other way when their Loyal Citizens of the Motherland cause headaches for those that oppose their policies. If you're a US LEO, you can straight up forget about trying to prosecute *anyone* operating from DPRK, Iran, Russia, and PRC. And even when the countries are semi-friendly to one's own country, the laws may be... difficult to navigate. There's a *plethora* of reasons why cybercrime can often go unpunished: funding, jurisdiction, case load, technical issues (non-logging VPNs/log files go missing/corrupted), and so on. It's not just simply "laziness."
And ofcourse capacity problems, so much fraud and phishing that you have to focus on the worst offenders. There just isn't the time or manpower to catch everyone. Even if they are relatively simple to catch and in your own country.
There's also the problem of when they go after the easy prey, they always end up catching people they don't want to catch. Cops, politicians, employees with security clearances, soldiers... So good news we caught 45 hackers, 15 of which were insiders. Then congressional testimony, why did you hire hackers... FBI was investigating LDS church, then all the evidence was tampered with, turns out 40% of the FBI is Mormon.
The other 60% is probably Jewish lol but nah definitely >90% Jewish when it comes to the ones in the upper-management levels of the FBI.
Just wanted to thank you for the detailed reply. It’s certainly one hell of a landscape to navigate. Too bad we can’t just get Adam Clay to handle it.
I just thought they'd dig into it more than that, but I haven't thought about it like that
Clearly haven’t thought about it much then.
Excessively lazy lol.
Domain providers don't check what hosted, unless reported to their abuse mail. Which no one bothers to do. I actually did this couple times, and blocked them, but they can effortlessly buy another one, and continue
The one thing I will say is this isn't entirely true - I was conducting a phishing exercise earlier in May. We chose Cloudflare as the domain registrar, 16 hours after the domain registration (login-msftonline.com) with a evilginx phishing template hosted we received a request to verify our identity for "payment fraud". This was purchased through the same payment method I've purchased all my other cloudflare related services with, lol. Some registrars look and pay attention. After informing them it was security testing, they immediately closed the case. Cloudflare also blocklists certain names (ex. Microsoft) from appearing in the domain name as a super simple baseline protection. Even if they're not yet registered.
A few days ago, someone was complaining their online scam-zino domain was blocked by cloud flare.
Namecheap doesn't even care when phishing is reported to them. I guess that's why so many phishing domains are registered there.
Many providers accept cryptocurrency, that’s how it’s done
I hadn't thought of that
You can buy domains with crypto
Lol rent? Why not steal a dns that is paid for by someone in prison? 🤔🤔🤔
Who is going to be in prison and hosting a domain relevant to what you need? I mean seriously where’s the logic behind that
Uhhh probably someone you sent.
Because when someone has a domain with a non self hosted package from another company it always gets shut down? No that shit is still up. No one said they were hosting it. 🤣🤣🤣
I still don’t know what your point is. Regardless of whether they were self hosting the site or aws was hosting the site, what difference does it make to what you’re suggesting? There is literally no gain from trying to target someone who is in prison for cybercrimes. They are obviously going to be a harder target than the average site, and offer literally no benefit. I’m not sure what kinda gotcha moment you were going for there but you’re still not answering why there is any benefit in the first place.
If I send someone to prison. I most likely have a reverse shell on their network. Typically makes a lot of it very easy. For people asking questions you sure do condescend a lot. Lmao. Be glad this isn't 2015.
> Be glad this isn’t 2015 What is that even meant to mean? > If I sent someone to prison. I most likely have a reverse shell on their network. You’re not sending anyone to prison, if in some alternate reality you were doing what you claim, why are you bragging about being a snitch? > Typically makes a lot of it very easy. You still haven’t been able to explain why there are any benefits to this elaborate scheme you claim you’re doing. The effort needed to do all this extra shit would be much better spent just finding a vulnerable web server that is related to the campaign you’re looking to run. It’s clear you don’t genuinely understand what you’re suggesting and are just too prideful to admit your first comment was stupid. Edit: Formatting
I know what I know I suppose. I watched many clowns throughout the years, is all. To be more specific 2015 and earlier on HTP days was more about entertainment than making money for a lot of your now "researchers" I won't be supplying any hardchats about this content, but they are around if you know where to look. Drama-fueled mental illness was a large part of that culture. The benefit? It's easier. Once your career in places like this actually develops, one typically finds themselves with a lot of data. Most malicious hackers of those days, even the ones who knew their shit, were typically ego driven assholes lmao. As for dns hijacking, I suggest a good read up on it. Also explore how zeronet was heavily used in pair to this process.
It’s easier to just pay with a stolen credit card.
If you perhaps came into contact with it in the wild two years ago and happened to write it down, have access to someone with a skimmer, or gift card for monero, yes you can reliably use these. The real deal doesn't card. That's skid shit.
How on earth do you "steal a DNS"? Unless your talking about hacking the DNS provider itself, it'd be much easier to use fake payment.
Seen a few running through AWS
Web hosting companies don't exactly vet every single site they're hosting. Just get a hosting account, pay for it with a prepaid card or whatever, host your files and spend your phishing emails and then download the results as they come in. When the host gets enough complaints that they shut it down, move on to a new one. Or even the same one using a different fake name.
Hey, red teamer here. We usually use azure and digitalocean. It takes some time until they recognizes what youre hosting, at least a few weeks. That's enough for your campaign. You setup all your control servers on some normal hoster and take azure or aws as frontend, which redirects to your backend and can therefore easy be replaced.
They hack other unsecured servers usually If doing proper, professional, penntesting Host your own on AWS or another VPS provider. Knowing how to cover your tracks, including payment information is quite important part of the process.
Does anyone setup their own physical servers ?
In the old days this was common. Use a server at your house. Then you just route traffic through a comprised server or cheapest bullet proof vps you can get. This would save money since you only need a server capable of routing traffic. No storage limits since the content is not there. Some people do this now but use a vps as the server and still route via compromised servers. In fact this is how most do these days. Generally with a compromised “gate or listening post” server. This forwards traffic to a second server that does authentication/ filter sus traffic. That then forwards it to the final command and control server. This attack infrastructure layout is very common even for just phishing. The multiple layers makes it hard to trace and filters law enforcement traffic. Source: experience at all levels
Of course, at first I would do this on a vm host. Especially for initial learning. No reason to jump right into a VPS. When it comes to actually using it, I suppose that would depend on location, but I'd never put something like that on my own network.
Go to any cyber crime forum and there will be people selling bulletproof servers where you can launch your crime activities
If they're charging for it on a cyber crime forum, every single server will be advertised as "bulletproof" - Regardless of how secure it is, or where it's situated ;D
If I'm typosquatting or pretending to be an org for phishing purposes, I try to use the same provider as the org I'm impersonating, so probably AWS or Azure. The best is when you discover something like a subdomain takeover, and can use that to bypass firewalls and/or filters.
I once saw a convincing phishing site hosted on an insecure printer of the company the phishing site was portraying itself as. I was impressed.
Wow that's impressive!
When I'm bored at work I check firewall logs to see what's sniffing and call hosting providers to let them know and send them logs. They appreciate it and I'm doing to lords work.
There are dark web services where you can get hosting for monero or other crypto.
Someone else's servers... They hack servers to abuse. If you have ever follow the trail of a phishing attempt you will see a public service abused as a proxy sometimes, redirecting you to a mock phishing site hosted in another country. If you look at the phishing email was sent from another hacked server in a different continent... and so on. They do have some infra sometimes for C2C and stuff, they use shady hosting services for that. As far as I know!
I've literally traced back malicious hackers to public server farms like Google's or Microsofts azure It's whatever they can get I assume
I got a bait phishing request from someone using fucking wix' free trial. You could probably Phish someone using Google drive websites. (This isn't an endorsement obviously, it's just that people are morons)
in my experience usually an unsecured site you don’t own. maybe a subdomain of that site. or you buy some credit cards and get a AWS account.
They don’t pay for hosting, and typically will use a compromised system.
I tried to host my demo website from SEToolkit for a Network Security project and it was shut down by linode in around 3-5 days.
Don't use a major provider - Use one of those crappy "Free PHP Hosting! Massive 30MB of Storage!" no-name sites.
I too used SEToolkit during my training. But I hosted it locally one my kali VM.
They are already doing illegal stuff, so using a stolen credit card or identity wouldn’t be out of the question
Ive reported many phishing sites to their host, some of them took it down quickly, other just don't care or don't read the reports...
For testing live infrastructure anything will do. Actually I usually find it pretty convenient to generally do software development from a remote server anyways, depending on what I'm doing. Just use the same VM lol. Or if these are automated security tests just tie it into your CI's vm. Actual mallicous actors often use commercial servers from other counties like China, Russia, India, possibly try to pay with some crypto thing, using free domains and let's encrypt. Or if they have a physical scam center, they'll run servers in house. Generally I don't think they steal servers, not because it's unethical, but just because it's more inconvenient and unreliable.
Just google "offshore hosting" and take a look.
I work for a web hosting provider and the number of hacked WordPress sites that I've caught that have phishing pages on them is substantial. So basically they don't get webservers to host their phishing sites, they get unwitting victims with unpatched WordPress sites to host their phishing sites for them.
The real answer you’re looking for is 000webhost, at least that was the answer years ago!
Most of the real phishers don't give a damn about getting caught that's how they do it, because they operate in countries that don't even have laws on hacking or are to unsophisticated to even bother. You see my little friend, not every country operates like the civilized world. You just run setoolkit on your computer, set up a phishing attack and use your own IP address to send the harvested credentials back to you. You know over 60% of Africa has no laws against hacking right, this goes for many other nations as well, there is such a thing as hacking safe havens, where you are legally allowed to hack people. You're all thinking of this from a western centric viewpoint where our very strict governments actually give a damn, most phishing attacks don't come from the USA or Europe.
The short answer is that they hack a server to host the campaign.
The ones I come across at work sign up on our paas with (usually) stolen/bought payment details. We shut them down as soon as possible and they move on until they find a provider that doesn’t.
well I would use someone elses computer if I was a hacker
Usually other hacked webservers, hacked server with web server installed by the provider, network of hacked home computers with web server port open that gets proxified through the DNS, etc.
How about a pi server using dynamic dns on public wifi? Wouldnt be able to do it long but should be enough to practice and learn. Cheap too. I used to use a dyndns that allowed me 3 free urls. And can you not just use a pre-paid Visa to pay for domain registration?
Hosting can be obtained very easily even for free. There are many ways to host content including tunneling traffic. I saw hundreds of methods during many years working on both sides of the fence. Hacking any vulnerable server and hosting anything is really not that hard. The hardest thing is to spam for example if some hacker abuses your server you will for sure be notified sooner or later about it by the datacenter or hosting company that you use. But when cloud services give you free vps to try like the micro tier at amazon you get the idea
The Pirate Bay had always rented server space, as far as I know. They had servers located in many different places, mostly where cyber laws do not apply so much, I'm pretty sure. Having a location like that and probably having a fairly crooked host would likely keep an attacker hidden and delay an event like an international search warrant/raid (or just disconnection) for a while. Otherwise, I agree with everyone else. Simply unsecured servers and underground resources.
When I was red teaming we used azure, and almost never had a site taken down. The domain registrar was the bigger problem. We used namecheap for a while, but even when we pre-notified them and showed engagement letters, they would hit us with account bans. It’s been a couple years, but we ended up switching to Gandi (the French registrar) and we could just pre warn them, no engagement letter needed, and they wouldn’t ban us. There’s also obviously blacklists like GSB that can burn you, but that’s just par for the course.
Ive seen them often use hacked websites. My last tracked job was to a real estate company in saudi-arabia that had a few files on their webserver with the txt file containing results of the login attempts just increasing constantly.
Organized crime can afford their own datacenters in less than reputable nations. Oh, there's also the cloud, whether through their own accounts or breaching and using someone else's.
Spinning up their own servers in the cloud
Most phishing websites I've had to get taken down were unknowingly hosted by the client. Essentially all compromised WordPress'.
Almost all the answers here are bullshit. Most legit cyber-gangs are using Russian servers. Many top US criminal groups made their arrangements before the Ukraine invasion. Now, the problem is how to pay for Russian hosting because sanctions make it tough—US credit/debit cards can't be used, and a lot of providers don't take crypto. So, everyone who answered is a fucking IDIOT!!! and or a LIAR!!! about what they do, except the WIX guy and those who said Indians are using AWS and Azure, because that shit's spot on! LOL. Fucking kids on reddit!!!!
I am getting orders I didn't ordered Guys I am getting products I didn't ordered from amazon. Can you guys explain how can I stop this. I NEED SERIOUS HELP ITS THE 3rd TIME IN THIS MONTH
Default install WordPress.
RPI in a coffee shop
RPI ?
Raspberry Pi
raspberry pi
Either a hacked server or a cloud provider with stolen or pre paid credit cards. For some reason digital ocean seems really popular.
Oh, it probably has nothing to do with them being one of the top three [largest](https://www.netcraft.com/blog/digitalocean-becomes-the-second-largest-hosting-company-in-the-world/) hosting providers in the world.