Pssst! Hey, kids, wanna buy a remote desktop protocol server, cheap? I guess I should say “Вы хотите купить сервер?”
Security researchers from Kaspersky Lab say they’d found a global forum, run by a Russian-speaking group, where hackers could buy access to compromised servers for as little as $6 (£4.25) per server.
The forum, called xDedic, currently lists more than 70,000 of these servers for sale. Many provide access to “popular consumer websites and services”, the researchers say, and some even have protocols installed for direct mail, financial accounting and point-of-sale (PoS) processing.
These servers could be used as launching pads for serious cyber-attacks, Kaspersky Lab says, and the server’s real owners have “little or no idea what’s happening”. The worst thing is, government entities are among the owners.
The process of obtaining these servers seems to be fairly straightforward, researchers say. Hackers first break into them, usually through brute force attacks, and then sell these credentials on the market. “The hacked servers are then checked for their RDP configuration, memory, software, browsing history and more — all features that customers can search through before buying”, the researchers say in a report.
They also say xDedic is a powerful example of a new kind of cyber-marketplace, one which is well-organized, and supported. Everyone, from newbies to veterans in the hacking game, can find something for themselves on there.
“The ultimate victims are not just the consumers or organizations targeted in an attack, but also the unsuspecting owners of the servers. Additionally, the legitimate owners are likely to be completely unaware that their servers are being hijacked again and again for different attacks, all conducted right under their nose”, says Costin Raiu, director, Global Research and Analysis Team, Kaspersky Lab.