Study on a more Western version of the Russian Business Network

Remember the Russian Business Network? Let's have a short look back:

The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."

Since all the publicity, their operations split up and went to several other parts of the world like China or Turkey. But apparently, this kind of hosting is also present in some more Western parts of the world. A research paper was released and describes some of the activities located at a California based ISP.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

• The study is downloadable from hostexploit.com
• Watch the Video of an Exploitation of a PC User on YouTube

Besides this paper, investigative reporter Brian Krebs also had a look for himself into this case.

The portions of Atrivo most heavily used by RBN were Hostfresh -- which provides routing for Atrivo through Hong Kong and China -- and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year. As of last December, Atrivo boasted the largest concentration of malicious activity of any hosting company, according to a report released by security intelligence firm iDefense.

"While Intercage has legitimate clients and professes intolerance for abuse, it continues to turn a blind eye to massive amounts of cyber crime," iDefense analysts wrote. "Intercage Inc. previously operated as Atrivo Inc.; it was already infamous for abuse then and has not improved its reputation since changing names."

Read his entire analysis here.

These publications did have some effect. Arbornetworks noticed the following:

After the research article’s publication, Global Exchange de-peered with them after only a day or two (GLBX had been a BGP peer providing transit, one of two or three distinct ASNs doing so). It’s unknown what debates went on inside GLBX before this action, but the suggestion is pretty clear: public analysis of overtly hostile networks with a long history of security issues can lead to changes. Last year’s collection of reports on RBN (from iDefense, Shadowserver, and others) lead to the dissolution of RBN.

On my team, we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information. (Source: Arbor networks)

So it's not only the (now dispersed) RBN we have to keep an eye on. Be vigilant.

Related posts:

• Updated paper on the Russian Business Network
• RBN poisening Google Search results with exploits
• Whitepaper on Russian Business Network and more updates
• Detecting and Blocking the Russian Business Network with Snort (Update)
• Has the Russian Business Network gone into hiding? *updated*
• Three part story on fake anti-spyware and the RBN involvement
• PDF URI exploitation and the RBN
• Tracking the Russian Business Network Part 2
• The Russian Business Network denies allegations
• Tracking the Russian Business Network