The News: Infoblox claims to have uncovered a Chinese cybercrime organization called “Vigorish Viper.” The group is accused of facilitating a $1.7 trillion illegal global sports gambling market through technology solutions, including using sponsorships with European football clubs to advertise illegal gambling sites in Southeast Asia, and having links to human trafficking operations in Southeast Asia, according to Infoblox. Additional details are available in Infoblox’s press release.
Infoblox Uncovers Web of Chinese Cybercrime
Analyst Take: Using its ability to collect, analyze, and interpret Domain Name System (DNS) activity, Infoblox claims to have uncovered a vast Chinese cybercrime syndicate called “Vigorish Viper.”
The Vigorish Viper operation is multi-layered, and its implications are concerning, to say the least. It has used a sophisticated web of software development, website hosting, DNS configurations, payment systems, and mobile applications, to exploit a $1.7 trillion illegal global sports gambling market that involved leveraging sponsorships with European football clubs to advertise illegal gambling sites in Southeast Asia.
Vigorish Viper functions as a one-stop shop that enables other cybercriminals to easily launch and operate illegal gambling platforms. While the financial implications are staggering, Infoblox suggests links between Vigorish Viper and human-trafficking operations in Southeast Asia, increasing urgency to dismantling this syndicate.
Vigorish Viper had been avoiding detection by operating an expansive network of more than 170,000 active domain names, a sophisticated DNS CNAME (Canonical Name records) traffic distribution system, encrypted communications, and proprietary applications.
Infoblox used its DNS threat intelligence capabilities that led to the discovery and exposure of how Vigorish Viper operates. Infoblox has long-standing and extensive expertise in DNS protocols and behaviors, which when combined with its analytics and machine learning (ML) capabilities facilitates actionable insights into DNS traffic patterns, query volumes, and resolution times that could indicate potential threats and malicious activities. In other words, not only does it actively search for known indicators of compromise (IOCs), but also analyzes user activity for anomalous patterns. This is important because DNS activity is challenging to interpret, due to the vast amount of data that needs to be analyzed, as well as its complexity – not only is DNS data often unstructured, but it includes various types of information including domain names, IP addresses, query times, and error codes. This is all not to mention the dynamic, constantly changing nature of DNS activity and data. As another value-add, because Infoblox is a DNS infrastructure provider, its threat intelligence solution integrates closely with existing DNS systems.
In sum, Infoblox’s detection of Vigorish Viper activity reflects the importance of marrying expertise in specific areas such as DNS activity, with increasingly advanced threat hunting, detection of IoCs, and analysis of user behavior. This comprehensive approach is required to uncover the complex threats that continue to emerge. DNS threat intelligence is particularly useful because cybercriminals are increasingly registering malicious domains to host malware, phishing sites, or command-and-control (C&C) servers. They are also using DNS to exfiltrate data, bypassing traditional security controls. At the same time, attacks are increasingly sophisticated, and the shift to cloud environments and microservices architectures generates more DNS traffic, making it challenging to manually analyze and identify threats while increasing the complexity of attack surfaces.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other Insights from The Futurum Group:
Threat Intelligence – 24/7 at Infoblox with Dr. Renée Burton – Six Five in the Booth
Infoblox’s Chief Product Officer Offers His Vision of the Future – Six Five in the Booth
Infoblox Combines DNS Networking and Security
Author Information
With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.