Independent Security Consultant Dancho Danchev reports that Russian cybercriminals are using a fake gas transit company in order to hide a provider hosting a wide array of illegal online activities. Based in Sankt Petersburg and called GazTranzitStroyInfo LLC, the provider has strong ties with two other well-known cybercrime hubs.

"It is somehow weird to what lengths would certain cybercriminals go to create a feeling of legitimacy of their enterprise," Mr. Danchev, according to whom redirectors to live exploits, zeus config files and scareware hosted on this Autonomous System (AS) are being distributed through black-hat SEO techniques and website compromises, notes.

"The recent peak of fake codecs (for instance [...] softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo [identified as AS29371] and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains," the researcher explains.

An example of this connection is the video-info .info fake codec campaign, hosted by GazTranzitStroyInfo (AS29371), which actually downloads the malicious file from kir-fileplanet .com, hosted at EUROHOST-NET (AS48841). But, according to Danchev, the cybercriminal infrastructure does not stop here. Instead, it converges over at yet another rogue hosting provider, NETELLIGENT Hosting Services Inc. (AS10929).