Hackers are getting into anything they can get their hands on this days. One area where there is a viable market is that of servers. This was evidenced by the revelation last week by researchers that there was an underground dark web market which was providing stolen servers. Evidence from the research showed that hackers had managed to break into thousands of servers, and they had managed to sell 170,000 of the compromised servers since 2014. From the figures shown, a third of the servers sold were located in the United States.
The research which was undertaken by security researchers at Kaspersky Lab showed that there was a black market on the dark web called xDedic which was selling remote access to at least 70,000 of servers that had been compromised. Prospective buyers could gain access to a server for a paltry $6.
After the revelation of the reports, one user under the name AngryBirds decided to share around a few of the Pastebin lists of IP addresses and also put dates which apparently showed the hacked servers which had been sold on the black market, xDedic since October 2014. The combined lists of the addresses and dates had on them 176,000 unique IP addresses. This was a massive 100,000 more than what the Kaspersky security researchers had managed to gather in their investigation on the black market website. Validation of the lists was even harder because the xDedic black market only advertises the first two octets of a server’s IP address, such as 111.111.*.*.
The researchers, fortunately, managed to find correlations which helped them to show that the database that had been exposed by AngryBirds, was nothing than a copy from xDedic but was also real. They discovered that the list had been copied in February this year, and it was done by someone who had had access to the IP addresses.
The difference between the number of IP addresses which were collected by the researchers and that of the anonymous user can be explained by the fact the black market, xDedic had only shown those IP addresses which had not yet been sold when the researchers had gotten to it.
After analyzing the new list geographically, it seems the affected countries picture is changed. In the previous data supplied by Kaspersky, China and Brazil occupied the first place, but with the new list, they relinquish their positions. The list took into account the hacked server IP addresses locations. The first and second position are now held by the US and the UK respectively. The US has over 60,000 hacked servers, and the UK has over 9,000 hacked servers.
Servers from the US and Western Europe are seen as more lucrative and valuable and therefore it makes sense that they sold faster. The priciest of the servers on the underground market were from the US, and they ranged from $1,500 to $6,000 in prices.
The question is why these particular servers were expensive, but the researchers noted that the servers indicated were for tax reporting, accounting, the point of sale software. This is probably because of the many opportunities they give to cyber criminals.
The new list also makes it possible for companies and organizations to check if they were affected in the past or present. On the other hand, because it is now public, the information can also be used by hackers to exploit it before network operators and administrators act on it.