Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appear legitimate while shielding the illegal activity they host from disruption amid abuse complaints and takedown requests. Providers often foster relationships with authorities in countries prone to corruption or otherwise unconcerned with certain types of illicit activity.
TrendMicro summarized BPH in a great graph covering three different types of BPH providers: those using stolen/compromised assets, those with a short-term lease, and providers leveraging their own data center/co-location.
In this first post in a new series of articles, we'll focus on bulletproof hosting providers with more established infrastructure, including Media Land LLC, one of the most infamous providers in the threat landscape. Our analysis of this infrastructure surfaced thousands of domains linked to threat campaigns of all kinds, showing the ubiquity, and utility, of bulletproof hosting providers.
Meet Media Land
Many bulletproof hosting providers advertise their services in underground forums. This initial research into bulletproof hosting providers relies on open source listings, such as Intel471's recent reporting on bulletproof hosting and RiskIQ research done by RiskIQ. Intel471's report cites the actor behind Media Land, Yalishanda, as "the preeminent BPH provider for cybercriminals since 2015.”
In mid-January 2021, RiskIQ reported on domains registered using email addresses associated with Media Land LLC, many of which we tied to Magecart and other malicious activities.
Media Land is a Hub With Many Threat-related Spokes
Media Land LLC, a prolific provider of services for bulletproof hosting, malicious domain registrations, and other services needed by actors to carry out their criminal activities, has become a powerhouse in the cybercriminal underworld. The service is headed by Ukrainian Alexander Alexandrovich Volosovik, aka 'Yalishanda,' who, in July 2019, Brian Krebs cited as one of the most prolific bulletproof hosters in the world.
RiskIQ has observed a considerable portion of Media Land domains used in malicious activity such as phishing, spoofing large organizations, fake products and services scams, porn-related scams, bitcoin mining, and Magecart digital credit card skimming.
RiskIQ found that Media Land is associated with two Autonomous Systems (AS), one with no IP blocks currently assigned to it, and the other with six.
The domains we analyzed fell into two groups. Some were registered with Media Land-associated contacts (names, emails, and organizations listed in the WHOIS information belonging to the AS with no IPs. The others resolved to IPs associated with the second AS. Other actors likely created these. You can explore these autonomous systems and all IPs and other indicators related to Media Land in the Threat Intelligence Article here.
Suspicious Domains Registered by Media Land
The email address alex.kitai@gmail[.]com, found in Media Land's WHOIS information, was used to register 400 domains. In those domain registrations, WHOIS details listed the individuals 'Aleksandr Volosovik' and 'Alex Wells.'
Our researchers then reviewed these domains in RiskIQ data, finding 140 of them appearing in our blocklists. Threat actors used them to target three mobile operators, eight financial institutions, one social media organization, and two government agencies. Our analysis revealed attempts at spoofing many of these same or similar organizations, including login pages of well-known banks.
You can explore all IOCs related to Aleksandr Volosovik and Alex wells in our writeup in the Threat Intelligence Portal here.
Suspicious Domains Resolving to Media Land IP Addresses
Since the IP Blocks associated with the Media Land AS first appeared, more than 5,700 domains and subdomains have resolved to at least one of its IPs. These domains were also used to target mobile operators, financial institutions, social media organizations, and government agencies with phishing, fake scams, porn-related scams, bitcoin mining, spoofing organizations, and Magecart.
In all, more than 1,700 of these domains appeared on our blocklists. RiskIQ also observed 102 domains being used for domain name service (DNS).
Connections to Previously Published RiskIQ Research
We previously wrote about malicious domain registrations connected to two email addresses referencing Media Land. Most of the domains registered by the two emails were hosted on Alibaba’s IP space for varying periods. As bulletproof hosting providers host a considerable portion of skimming and other threat campaigns, the Alibaba IP space has become popular across the cyber threat landscape.
Some of these domains also appeared on IPs belonging to Media Land. We suspected that these email addresses were part of a bulletproof hosting or registration scheme that may have been mimicking the Media Land service. Following our analysis for this article, we now believe that these emails are directly related to Media Land and Alexander Volosovik.
Some WHOIS records on which the above email addresses appeared also listed the organization Media Lend, LLC. During our previous investigation, we suspected that the use of Lend instead of Land in the org name might have signaled that this was a copycat domain registration service. However, we found that another org name using the Lend variation has been used to register domains that are demonstrably connected to Volosovik. "Media Lend" Co., LLC was used to register eight domains over several years. In fact, one of these domains is still active and hosts a website for an apparent charity called the Hestia Foundation. The foundation's homepage links to Media Land's main website.
Based on the similarity in organization names, the direct connection to an entity founded by Volosovik, and connections to Media Land hosting infrastructure uncovered in our previous article, we believe that the numerous malicious domain registrations connected to email addresses associated with Magecart infrastructure are attributable to Volosovik's Media Land service.
Uncover Threats Related to Bulletproof Hosting
This is an initial introduction to Bulletproof hosting reporting by RiskIQ.
Future reports will profile new hosting or registration providers that we identify from our research or via open-source reporting. Forthcoming research will take a deeper look at Volosovik's connections to malicious domains seen on Alibaba and other hosting providers, which we and others have documented in several prior articles and which we reference in the Threat Intelligence Portal.
Tracking and uncovering threat infrastructure is a critical capability in protecting your organization from this top web-based threat. Be sure to check in on RiskIQ's Threat Intelligence portal as we continue to track bulletproof hosting activity and infrastructure and publish the intelligence that can help you defend your organization. For the full report and complete analysis, including IOCs, visit the intelligence card here.