This article is more than 1 year old
Who needs foreign servers? Researchers say the USA is doing a fine job of harboring its own crimeware flingers
Domestic hosts and servers are being used for major attacks, finds Bromium
A collection of servers found in the US are responsible for some of the nation's biggest malware and phishing attacks.
This according to a report from security company Bromium, which said just over a dozen servers are being used to spread 10 of the major malware and phishing campaigns spreading around the internet at the moment, including the infamous Dridex and GandCrab attacks.
The findings, said Bromium, should shatter the notion that malware operations are mainly foreign based and operating well outside the reach of US law enforcement. Rather, the friendly hosts that enable these campaigns are operating in our own backyard.
"It was interesting to us that the hosting infrastructure is located in the United States and not in a jurisdiction that is known to be uncooperative with law enforcement," Bromium said.
"One possible reason for choosing a US hosting provider is so that the HTTP connections to download the malware from the web servers are more likely to succeed inside organisations that block traffic to and from countries that fall outside of their typical profile of network traffic."
Both the Dridex and GandCrab infections have been spreading for years and have proven themselves to be extremely effective at their respective jobs. Dridex spreads itself as a trojan through email attachments, looking to log and transmit banking credentials.
GandCrab, meanwhile, operates as ransomware and is notable for the massive payout demands that are estimated to have yielded its controllers hundreds of millions of dollars from victims.
Bromium said it has reason to believe both operations are a domestic effort, created by criminals in the US for the express purpose of infecting Americans and other English-speaking targets.
What's more, those two attacks appear to be merely the tip of the iceberg. Within the network of servers and hosts used for Dridex and GandCrab, Bromium found eight other malware attacks also spreading through spam and phishing emails.
Working in combination, Bromium noted, the servers and hosts operate as a sort of distribution center, allowing various attacks and phishing campaigns to intertwine and support one another.
"We identified several cases where multiple malware families were hosted on the same server," the security house said. "In some cases, two malware families were used in conjunction with each other, where one would act as a dropper for the other." ®
Biting the hand that feeds IT
