Fugitif
13.10.2007, 20:52
Today's Washington Post carries my story about the the Russian Business Network, an entity based in St. Petersburg that provides Web hosting services that cater exclusively to cyber criminals. From the story:
"The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."
I thought it might be useful to name the companies that provide RBN's direct upstream Internet connectivity, as well as a few major Internet providers that provide services to RBN, including Tiscali.uk, SBT Telecom, Aki Mon Telecom and Nevacon LTD. The graph at the right is not an exhaustive look at all of the companies providing networking services to RBN, and it does not imply that the network providers listed are aware of or condone any illegal activity by RBN or RBN's customers.
It is tough to find a serious cyber-crime attack over the past two to three years that did not involve RBN Internet addresses to some degree. Going back as far as 2004 -- when RBN was known variously as "TooCoin Software" and "ValueDot" -- the network has offered an affiliate program called "iFramecash," wherein Web site administrators are paid a small sum for each visitor they silently refer to RBN's network. The visitor's machine is then peppered with Trojan horse programs that try to install password-stealing programs. In the past year-and-a-half or so, the main affiliates of that program simply started hacking into legitimate Web sites and placing the redirect code there.
In late 2005, security experts saw evidence that hacker gangs were taking advantage of a previously unknown security flaw in Microsoft's Internet Explorer browser to install keystroke-logging software on computers when users visited one of thousands of legitimate Web sites that had been hacked. In that attack, a large number of the sites set up by criminals to receive the keylogged data or serve up the exploit code resided on RBN's network.
Fast-forward to the fall of 2006, and security experts saw RBN sites implicated in an attack against HostGator, a large Web hosting provider in Florida. The attackers in that case had broken into thousands of Web sites using an undocumented security hole in "Cpanel," the software HostGator and hundreds of other hosting firms rely upon to host their sites.
Around that same time, RBN servers were heavily involved in exploiting yet another undocumented IE security hole to compromise an untold number of Web sites and Windows computers.
In May 2007, Security Fix reported that a large percentage of the sites belonging to IPOWER Inc., one of the Web's biggest inexpensive Web site hosting firms, had been hijacked with code that silently redirected visitors to malicious RBN sites.
Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers to RBN, including such notable pieces of malware as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif. The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.
MORE Info and COMMENTS
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
always the best :)
"The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."
I thought it might be useful to name the companies that provide RBN's direct upstream Internet connectivity, as well as a few major Internet providers that provide services to RBN, including Tiscali.uk, SBT Telecom, Aki Mon Telecom and Nevacon LTD. The graph at the right is not an exhaustive look at all of the companies providing networking services to RBN, and it does not imply that the network providers listed are aware of or condone any illegal activity by RBN or RBN's customers.
It is tough to find a serious cyber-crime attack over the past two to three years that did not involve RBN Internet addresses to some degree. Going back as far as 2004 -- when RBN was known variously as "TooCoin Software" and "ValueDot" -- the network has offered an affiliate program called "iFramecash," wherein Web site administrators are paid a small sum for each visitor they silently refer to RBN's network. The visitor's machine is then peppered with Trojan horse programs that try to install password-stealing programs. In the past year-and-a-half or so, the main affiliates of that program simply started hacking into legitimate Web sites and placing the redirect code there.
In late 2005, security experts saw evidence that hacker gangs were taking advantage of a previously unknown security flaw in Microsoft's Internet Explorer browser to install keystroke-logging software on computers when users visited one of thousands of legitimate Web sites that had been hacked. In that attack, a large number of the sites set up by criminals to receive the keylogged data or serve up the exploit code resided on RBN's network.
Fast-forward to the fall of 2006, and security experts saw RBN sites implicated in an attack against HostGator, a large Web hosting provider in Florida. The attackers in that case had broken into thousands of Web sites using an undocumented security hole in "Cpanel," the software HostGator and hundreds of other hosting firms rely upon to host their sites.
Around that same time, RBN servers were heavily involved in exploiting yet another undocumented IE security hole to compromise an untold number of Web sites and Windows computers.
In May 2007, Security Fix reported that a large percentage of the sites belonging to IPOWER Inc., one of the Web's biggest inexpensive Web site hosting firms, had been hijacked with code that silently redirected visitors to malicious RBN sites.
Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers to RBN, including such notable pieces of malware as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif. The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.
MORE Info and COMMENTS
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html
always the best :)