{ "Event": { "analysis": "1", "date": "2026-04-20", "extends_uuid": "", "info": "[Threat Intel] Inside the Bulletproof Hosting Network Behind 16,000+ Fake Shops", "protected": false, "publish_timestamp": "1779545713", "published": true, "threat_level_id": "3", "timestamp": "1779545713", "uuid": "7c50289a-7763-40e0-a9f5-020afe32acd6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#3000b9", "local": false, "name": "rectifyq:workflow=\"enrichment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#6b5184", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"IP Addresses - T1590.005\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Vulnerabilities - T1588.006\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#db2044", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1598.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Malware - T1608.001\"", "relationship_type": "" }, { "colour": "#7f093a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Business Relationships - T1591.002\"", "relationship_type": "" }, { "colour": "#91649a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"", "relationship_type": "" }, { "colour": "#76434a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Link Target - T1608.005\"", "relationship_type": "" }, { "colour": "#4a5d84", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"", "relationship_type": "" }, { "colour": "#ad3992", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1584.004\"", "relationship_type": "" }, { "colour": "#c60dc9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing via Service - T1566.003\"", "relationship_type": "" }, { "colour": "#dedf36", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1584.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": false, "type": "link", "uuid": "09cc6e6b-68e4-487c-9d90-9ccddf9766bc", "value": "https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": false, "type": "text", "uuid": "2dec074c-617b-43f6-9c6e-df29bed9de4a", "value": "Fibergrid has operated as a bulletproof hosting provider for nearly a decade, currently hosting 16,700 active fraudulent e-commerce sites. The network exploits stolen African IPv4 address space worth $20-25 million, originally acquired through improper AFRINIC registrations. Despite claiming Seychelles-based operations, multilateration analysis reveals infrastructure concentrated in the United States, United Kingdom, Netherlands, Canada, and other Western countries, primarily within Equinix data centers. Fibergrid operates through a complex web of UK and Estonian shell companies using multiple autonomous systems to evade detection and enforcement. Fake shops constitute 70% of malicious activity on this infrastructure, targeting consumers through search engines and social media with counterfeit goods and payment fraud schemes. Disruption opportunities exist through upstream provider intervention, regional internet registry action, domain-level takedowns, and indicator sharing with security providers." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": false, "type": "text", "uuid": "cf793039-9e69-4d42-b6ea-e4d030fc0171", "value": "Name: Inside the Bulletproof Hosting Network Behind 16,000+ Fake Shops\nAuthor: AlienVault\nAdversary: \nTags: [\"fibergrid\", \"e-commerce fraud\", \"bulletproof hosting\", \"shell companies\", \"stolen ip addresses\", \"autonomous systems\", \"counterfeit goods\", \"fake shops\", \"afrinic\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1590.005\", \"T1539\", \"T1204.002\", \"T1588.006\", \"T1566.002\", \"T1598.003\", \"T1608.001\", \"T1591.002\", \"T1583.003\", \"T1608.005\", \"T1583.006\", \"T1189\", \"T1584.004\", \"T1566.003\", \"T1584.001\"]\nIndustries: [\"Retail\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "d99b29cb-5806-496f-9a89-68c3427d0914", "value": "air-upsuomi.fi" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "0600d8b0-094e-4a75-ab63-a96746c80444", "value": "airupfranceshop.fr" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "02bda736-ce8d-485b-9987-04c5a24503ae", "value": "airuppullosuomi.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "8308a6f7-8696-4195-bb62-b3a18d40474c", "value": "airupsweden.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "10f7ea73-0d77-4f24-a990-5134000e204b", "value": "bratziezpuertorico.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "84c428ca-c8e1-4089-9513-95918b839f31", "value": "pinkpalmpuffnetherland.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "a21ec11a-cc86-43ab-b864-02d0091ec184", "value": "timberlandsromania.cc" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "ba06f209-c66a-437f-b8fa-d1df3cee96e2", "value": "ultimateearsindia.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345209", "to_ids": true, "type": "domain", "uuid": "cca6440d-5466-48e1-bbda-1b17fb15a9f4", "value": "zapatilasbrookar.com" } ] } }