To understand how the criminal underground operates, one need to understand not only the criminals, their motivations, and their business models, but also the infrastructure and services that underpin everything they do. All online businesses need stable and reliable infrastructure to thrive, and it’s no different for cybercrime. Online bookshops need to take care of shop inventory, advertising, go-to-market strategies, customer retention, and more; without a stable hosting infrastructure as a base, all other areas of the business are ineffective. The same goes for cybercriminal businesses.
The Underground Hosting series aims to offer a comprehensive look into the infrastructure behind cybercrime today and serve as a guide for those who are interested in it, investigating it, or involved in the daily battle to defend against such activities. The first part of the series detailed how the underground market for criminal infrastructure operates, and covered the methods and platforms used to buy and sell such services.1 This research paper, which is the second part of the series, explains the technical details of cybercriminal operations, as well as the main services and methods they use. It reveals the creativity that cybercriminals exhibit when building and organizing their infrastructures. The paper also details some of the common patterns we observed through the years, as well as some interesting “rare” cases we found during this research.
