A seller on a popular cybercrime forum appears to be offering up source code and a database they say belongs to DDoS-Guard, the Russia-based hosting site that helped right-leaning social media company Parler get back online after Amazon Web Services banished it.
Parler billed itself as an alternative to Twitter after that social media firm cracked down on alt-right misinformation and disinformation, but found itself shunned by AWS and others after complaints about its safeguards against hate speech and calls for violence after the the Jan. 6 insurrection.
Security vendor Group-IB, which noticed the listing, said that while DDoS-Guard offers hosting services and protection against distributed denial-of-service attacks, it also has been labeled a “bulletproof hosting” provider — one that’s lenient toward cybercriminals and other shady operators.
The seller listed the DDoS-Guard database and source code for $350,000 on exploit.in, a long-running forum used mainly by Russian-speaking scammers that birthed the career of Andrey Turchin, a.k.a “fxmsp,” who now stands charged with hacking-related crimes in the U.S.
“If the data is legitimate, the threat actors can potentially use it in a number of ways: from mass spamming and follow up targeted phishing attacks,” said Oleg Dyorov, threat intelligence analyst at Group-IB, which first shared the listing with CyberScoop. He also said it could be used to carry out ransomware attacks.
There are indeed reasons to doubt the data is legitimate. The seller didn’t provide a sample, has almost no track record on the site and once endured a ban for refusing to use the exploit.in escrow service, Group-IB said.
But, if the information is real, it would amount to another instance of a company accused of aiding cybercriminals finding itself on the receiving end of cybercrime.
Other DDoS-Guard clients include an internet service provider to Russian intelligence, and at the time it began working with Parler, the social media platform was the only American website apparently doing so.
“Whenever we establish a connection with this company, it immediately reflects a red flag. We’ve seen a number of rogue websites hosted by DDoS-Guard,” said Reza Rafati, a senior analyst at Group-IB’s Computer Emergency Response Team in Amsterdam.
“They were almost impossible to take down,” Rafati went on. “Their answer to our numerous complaints on them protecting illegal resources is that they are not the owners of these websites. Such a safe environment for illicit online activity doesn’t do any good for the global effort against cybercrime.”
Adrianus Warmenhoven, chief information security officer at Dutch cybersecurity firm Tesorion, said DDoS-Guard resembles other bulletproof hosting companies that are adept at staying “just at the edges of the law.”
The seller originally listed the price at $500,000, but swiftly reduced it to $350,000 after apparently realizing it was too steep a demand, said Dyorov.
“We are aware that malefactors are trying to sell a certain database,” said a spokesperson for the company, Ruvim Shamilov. “Our company has not experienced any data leaks. It is not the first time they threaten us, try to sell non-existent data, and make a profit on our company’s name.”
Updated, 6/3/21: Included a statement from DDoS-Guard.