A Russian business that provides web sites for criminals?
Shadowy Russian Firm Seen as Conduit for Cybercrime
By Brian Krebs
washingtonpost.com Staff Writer
Saturday, October 13, 2007; Page A15
An Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft, according to computer security experts. They say Russian authorities have provided little help in efforts to shut down the company.
The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say.
Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of "phishing" -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites.
One group of phishers, known as the Rock Group, used the company's network to steal about $150 million from bank accounts last year, according to a report by VeriSign of Mountain View, Calif., one of the world's largest Internet security firms.
In another recent report, the Cupertino, Calif.-based security firm Symantec said that the Russian Business Network is responsible for hosting Web sites that carry out a major portion of the world's cybercrime and profiteering.
The company "is literally a shelter for all illegal activities, be it child pornography, online scams, piracy or other illicit operations," Symantec analysts wrote in a report. "It is alleged that this organized cyber crime syndicate has strong links with the Russian criminal underground as well as the government, probably accomplished by bribing officials."
The Russian Business Network did not respond to requests for comment e-mailed to an address listed on its Internet address records. Other efforts to communicate with its organizers through third parties were not successful.
Law enforcement agencies say these kinds of Internet companies are able to thrive in countries where the rule of law is poorly established. "It is clear that organized cybercrime has taken root in countries that don't have response mechanisms, laws, infrastructure and investigative support set up to respond to the threat quickly," said Ronald K. Noble, secretary general of Interpol, an organization that facilitates transnational law enforcement cooperation. He declined to discuss the Russian Business Network specifically.
The company isn't a mainstream Internet service provider, as Comcast and Verizon are. Rather, it specializes in offering Web sites that will remain reachable on the Internet regardless of efforts to shut them down by law enforcement officials -- so-called bulletproof hosting.
Though there are thousands of Web sites that bear the Russian Business Network name on registration records, the company is unchartered and has no legal identity, computer security firms say.
The network has no official Web site of its own; those who want to buy its services must contact its operators via instant-messaging services or obscure, Russian-language online forums, said Don Jackson, a researcher at Atlanta-based SecureWorks.
Potential customers also must prove that they are not law enforcement investigators pretending to be criminals, Jackson said. Most often, he said, this "proof" takes the form of demonstrating active involvement in the theft of consumers' financial and personal data.
According to VeriSign, a cyber-criminal who clears these hurdles can rent a dedicated Web site from the Russian Business Network for about $600 a month, or roughly 10 times the monthly fee for a regular dedicated Web site at most legitimate Internet companies.
According to several private-sector security experts, U.S. federal law enforcement agencies have tried unsuccessfully to gain the cooperation of Russian officials in arresting the individuals behind the company and shutting it down.
Officials at Russia's Interior Ministry said last week that they could not discuss the network.
But Alexander Gostev, an analyst with Kaspersky Lab, a Russian antivirus and computer security firm, said the Russian Business Network has structured itself in ways that make prosecution difficult.
"They make money on the services they provide," he said -- the illegal activities are all carried out by groups that buy hosting services. "That's the main problem, because RBN, in fact, does not violate the law. From a legal point of view, they are clean."
In addition, Gostev said, criminals using the Russian Business Network tend to target non-Russian companies and consumers rather than Russians, who might contact local authorities. "In order to start an investigation, there should be a complaint from a victim. If your computer was infected, you should go to the police and write a complaint and then they can launch an investigation," Gostev said. Now, he added, his company and the police both have information, but no victim has filed a complaint.
Thomas V. Fuentes, the FBI's assistant director of international operations, declined to answer questions about the Russian Business Network but said the United States has had great success with other countries in investigating cybercrime.
Fuentes added that his agency's requests for law enforcement assistance from foreign governments sometimes conflict with domestic intelligence investigations that may be underway.
"There are times when it appears that action is not happening when in fact the other country is conducting a very sensitive investigation, and we have to take it on the chin," he said. "But that works both ways. That happens with us for requests we sometimes receive where we'd rather not go public with certain information at the time of the request."
Without a diplomatic or legal solution to the Russian Business Network, some Internet service providers have begun walling off their customers from the company.
One security administrator, speaking on condition of anonymity, said that within a few months of blocking the Russian company, his employer found it was saving significant amounts of money by spending less time helping customers clean viruses originating from the Russian Business Network off computers or taking down online scam sites or spam-spewing PCs. "Our instances of spam and infected machines dropped exponentially," he said.
Danny McPherson, chief research officer at Arbor Networks, a Lexington, Mass.-based company that provides network security services to some of the world's largest Internet providers, said most providers shy away from blocking whole networks. Instead, they choose to temporarily block specific problem sites.
"Who decides what the acceptable threshold is for stopping connectivity to an entire network? Also, if you're an AT&T or Verizon and you block access to a sizable portion of the Internet, it's very likely that some consumer rights advocacy group is going to come after you."
The unusually clear-cut case of Russian Business Network, McPherson said, has generated debate between the service providers and the security research community. Many researchers see blocking purely illegal networks as a no-brainer. But blocking problematic networks typically means they merely go to a new place on the Internet, McPherson said.
"At the end of the day," he said, "it only moves the problem somewhere else, when what we really need is for political and regulatory law enforcement to step in."
Growing numbers of security specialists for several U.S. Internet providers and telecommunications companies say they are done waiting for the cavalry to arrive. "There is never going to be an easy and painless way to combat this problem, mainly because it's been ignored for far too long and been allowed to fester," said the security administrator who did not want to be identified.
Brian Krebs on Computer Security
Mapping the Russian Business Network Today's Washington Post carries my story about the the Russian Business Network, an entity based in St. Petersburg that provides Web hosting services that cater exclusively to cyber criminals. From the story:
"The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."
I thought it might be useful to name the companies that provide RBN's direct upstream Internet connectivity, as well as a few major Internet providers that provide services to RBN, including Tiscali.uk, SBT Telecom, Aki Mon Telecom and Nevacon LTD. The graph at the right is not an exhaustive look at all of the companies providing networking services to RBN, and it does not imply that the network providers listed are aware of or condone any illegal activity by RBN or RBN's customers.
It is tough to find a serious cyber-crime attack over the past two to three years that did not involve RBN Internet addresses to some degree. Going back as far as 2004 -- when RBN was known variously as "TooCoin Software" and "ValueDot" -- the network has offered an affiliate program called "iFramecash," wherein Web site administrators are paid a small sum for each visitor they silently refer to RBN's network. The visitor's machine is then peppered with Trojan horse programs that try to install password-stealing programs. In the past year-and-a-half or so, the main affiliates of that program simply started hacking into legitimate Web sites and placing the redirect code there.
In late 2005, security experts saw evidence that hacker gangs were taking advantage of a previously unknown security flaw in Microsoft's Internet Explorer browser to install keystroke-logging software on computers when users visited one of thousands of legitimate Web sites that had been hacked. In that attack, a large number of the sites set up by criminals to receive the keylogged data or serve up the exploit code resided on RBN's network.
Fast-forward to the fall of 2006, and security experts saw RBN sites implicated in an attack against HostGator, a large Web hosting provider in Florida. The attackers in that case had broken into thousands of Web sites using an undocumented security hole in "Cpanel," the software HostGator and hundreds of other hosting firms rely upon to host their sites.
Around that same time, RBN servers were heavily involved in exploiting yet another undocumented IE security hole to compromise an untold number of Web sites and Windows computers.
In May 2007, Security Fix reported that a large percentage of the sites belonging to IPOWER Inc., one of the Web's biggest inexpensive Web site hosting firms, had been hijacked with code that silently redirected visitors to malicious RBN sites.
Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers to RBN, including such notable pieces of malware as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif. The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.
I spoke last week with James McQuaid, who works as an information technology specialist in Michigan. McQuaid said he's been blocking RBN and nearly all of its partner networks from reaching his home network for some time now. McQuaid, who helps run the American Red Cross's IT networks, said the people behind RBN have taken notice that some network providers have chosen to block traffic originating from the St. Petersburg provider. McQuaid said he's recently seen attackers on RBN hiding the source and destination of their traffic by routing it through compromised home computers in the United States and in Europe as a way to evade blocking filters like the one McQuaid deployed.
"What we're seeing now is RBN and some Chinese hacker groups are taking over machines in the U.S. and hosting malware or launching attacks from those machines, mainly because they realize their IP space is increasingly being blocked by the rest of the world," McQuaid said. "That's because it's a lot less common for ISPs and corporate networks to block IP space from residential networks."
This was the case with the recent attack against the Bank of India, in which attackers compromised the bank's Web site using Mpack, a veritable Swiss Army knife of Web browser exploits. When Microsoft Windows users visit an Mpack-infected site with a browser or Windows installation that is not updated with the latest security patches, Mpack uses those flaws to silently install password-stealing software on visitors' machines. In the attack on the Bank of India's site, the data was relayed through intermediary machines on its way back to servers controlled by RBN, according to several sources who tracked the attack.