[ISN] Shadowy Russian Firm Seen as Conduit for Cybercrime

From: InfoSec News (alerts@private)
Date: Sun Oct 14 2007 - 23:27:32 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html

By Brian Krebs
washingtonpost.com Staff Writer
October 13, 2007

An Internet business based in St. Petersburg has become a world hub for 
Web sites devoted to child pornography, spamming and identity theft, 
according to computer security experts. They say Russian authorities 
have provided little help in efforts to shut down the company.

The Russian Business Network sells Web site hosting to people engaged in 
criminal activity, the security experts say.

Groups operating through the company's computers are thought to be 
responsible for about half of last year's incidents of "phishing" -- 
ID-theft scams in which cybercrooks use e-mail to lure people into 
entering personal and financial data at fake commerce and banking sites.

One group of phishers, known as the Rock Group, used the company's 
network to steal about $150 million from bank accounts last year, 
according to a report by VeriSign of Mountain View, Calif., one of the 
world's largest Internet security firms.

In another recent report, the Cupertino, Calif.-based security firm 
Symantec said that the Russian Business Network is responsible for 
hosting Web sites that carry out a major portion of the world's 
cybercrime and profiteering.

The company "is literally a shelter for all illegal activities, be it 
child pornography, online scams, piracy or other illicit operations," 
Symantec analysts wrote in a report. "It is alleged that this organized 
cyber crime syndicate has strong links with the Russian criminal 
underground as well as the government, probably accomplished by bribing 
officials."

The Russian Business Network did not respond to requests for comment 
e-mailed to an address listed on its Internet address records. Other 
efforts to communicate with its organizers through third parties were 
not successful.

Law enforcement agencies say these kinds of Internet companies are able 
to thrive in countries where the rule of law is poorly established. "It 
is clear that organized cybercrime has taken root in countries that 
don't have response mechanisms, laws, infrastructure and investigative 
support set up to respond to the threat quickly," said Ronald K. Noble, 
secretary general of Interpol, an organization that facilitates 
transnational law enforcement cooperation. He declined to discuss the 
Russian Business Network specifically.

The company isn't a mainstream Internet service provider, as Comcast and 
Verizon are. Rather, it specializes in offering Web sites that will 
remain reachable on the Internet regardless of efforts to shut them down 
by law enforcement officials -- so-called bulletproof hosting.

Though there are thousands of Web sites that bear the Russian Business 
Network name on registration records, the company is unchartered and has 
no legal identity, computer security firms say.

The network has no official Web site of its own; those who want to buy 
its services must contact its operators via instant-messaging services 
or obscure, Russian-language online forums, said Don Jackson, a 
researcher at Atlanta-based SecureWorks.

Potential customers also must prove that they are not law enforcement 
investigators pretending to be criminals, Jackson said. Most often, he 
said, this "proof" takes the form of demonstrating active involvement in 
the theft of consumers' financial and personal data.

According to VeriSign, a cyber-criminal who clears these hurdles can 
rent a dedicated Web site from the Russian Business Network for about 
$600 a month, or roughly 10 times the monthly fee for a regular 
dedicated Web site at most legitimate Internet companies.

According to several private-sector security experts, U.S. federal law 
enforcement agencies have tried unsuccessfully to gain the cooperation 
of Russian officials in arresting the individuals behind the company and 
shutting it down.

Officials at Russia's Interior Ministry said last week that they could 
not discuss the network.

But Alexander Gostev, an analyst with Kaspersky Lab, a Russian antivirus 
and computer security firm, said the Russian Business Network has 
structured itself in ways that make prosecution difficult.

"They make money on the services they provide," he said -- the illegal 
activities are all carried out by groups that buy hosting services. 
"That's the main problem, because RBN, in fact, does not violate the 
law. From a legal point of view, they are clean."

In addition, Gostev said, criminals using the Russian Business Network 
tend to target non-Russian companies and consumers rather than Russians, 
who might contact local authorities. "In order to start an 
investigation, there should be a complaint from a victim. If your 
computer was infected, you should go to the police and write a complaint 
and then they can launch an investigation," Gostev said. Now, he added, 
his company and the police both have information, but no victim has 
filed a complaint.

Thomas V. Fuentes, the FBI's assistant director of international 
operations, declined to answer questions about the Russian Business 
Network but said the United States has had great success with other 
countries in investigating cybercrime.

Fuentes added that his agency's requests for law enforcement assistance 
from foreign governments sometimes conflict with domestic intelligence 
investigations that may be underway.

"There are times when it appears that action is not happening when in 
fact the other country is conducting a very sensitive investigation, and 
we have to take it on the chin," he said. "But that works both ways. 
That happens with us for requests we sometimes receive where we'd rather 
not go public with certain information at the time of the request."

Without a diplomatic or legal solution to the Russian Business Network, 
some Internet service providers have begun walling off their customers 
from the company.

One security administrator, speaking on condition of anonymity, said 
that within a few months of blocking the Russian company, his employer 
found it was saving significant amounts of money by spending less time 
helping customers clean viruses originating from the Russian Business 
Network off computers or taking down online scam sites or spam-spewing 
PCs. "Our instances of spam and infected machines dropped 
exponentially," he said.

Danny McPherson, chief research officer at Arbor Networks, a Lexington, 
Mass.-based company that provides network security services to some of 
the world's largest Internet providers, said most providers shy away 
from blocking whole networks. Instead, they choose to temporarily block 
specific problem sites.

"Who decides what the acceptable threshold is for stopping connectivity 
to an entire network? Also, if you're an AT&T or Verizon and you block 
access to a sizable portion of the Internet, it's very likely that some 
consumer rights advocacy group is going to come after you."

The unusually clear-cut case of Russian Business Network, McPherson 
said, has generated debate between the service providers and the 
security research community. Many researchers see blocking purely 
illegal networks as a no-brainer. But blocking problematic networks 
typically means they merely go to a new place on the Internet, McPherson 
said.

"At the end of the day," he said, "it only moves the problem somewhere 
else, when what we really need is for political and regulatory law 
enforcement to step in."

Growing numbers of security specialists for several U.S. Internet 
providers and telecommunications companies say they are done waiting for 
the cavalry to arrive. "There is never going to be an easy and painless 
way to combat this problem, mainly because it's been ignored for far too 
long and been allowed to fester," said the security administrator who 
did not want to be identified.

© 2007 The Washington Post Company



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Sun Oct 14 2007 - 23:49:37 PDT