Russian Business Network: Down, But Not Out
A major Russian Internet service provider whose client list amounted to a laundry list of organized cyber crime operations appears to have closed shop. But security experts caution that there are signs that the highly profitable network may already be building a new home for itself elsewhere on the Web.
The Russian Business Network, an ISP and Web hosting provider long based in St. Petersburg, Russia, this week relinquished most of its allocated Internet addresses after a number of its main upstream Internet providers severed ties with the group.
The disappearance of RBN comes less than a month after I wrote a series of stories detailing the organization and history of the shadowy ISP. That series examined RBN's infamy as a world hub for Web sites devoted to child pornography, spamming and identity theft, a so-called "bulletproof hosting" provider to some of the most sophisticated cyber criminal networks in operation today.
Within 24 hours of that Oct. 13 story, RBN's biggest upstream provider -- Tiscali.uk -- began refusing to route Internet traffic for RBN, according to several security experts. Days later, the second of RBN's three main upstream providers -- C4l -- dropped the Russian ISP as a customer.
Then, on Nov. 4, nearly all of the most troublesome Web sites on RBN's network went dark. The following day, RBN relinquished control over Internet space that hosted thousands of domains connected to countless fraud schemes over the years.
While RBN may appear to have been vanquished, experts at anti-spam group Spamhaus say there are strong indications that a huge swath of Internet space recently established in China may soon emerge as the next incarnation of the Russian Business Network. If Spamhaus's assumptions are correct, RBN's new home would include several times more additional Web hosting capacity than its previous location in Russia.
Not everyone is willing as yet to attribute the Chinese address registrations to RBN. Matthew Richard, director of the rapid response team for iDefense, a security company owned by Verisign, said it's too soon to draw that connection definitively. But according to Richard, RBN's customers began preparations for moving to other providers shortly after The Post published my RBN story.
About a week ago, Adobe released a security update to fix a dangerous security hole in its software that allowed criminals to foist malicious software on people who clicked on links in spam e-mails blasted out to millions. Richard said while much of the malware in that attack was downloaded from Web sites hosted at RBN, the criminals behind that attack established backup download sites at two other other bulletproof hosting providers.
"In that attack, it was clear that RBN's customers were already hedging their bets," he said. "Not only did RBN know that the writing was on the wall, but so did their customers."
The apparent flight of RBN came on the eve of a lengthy cybercrime speech by FBI Director Robert Mueller. Speaking at Penn State on Tuesday, Mueller addressed the internationalization of cyber crime and its threat to the political and economic stability of the United States.
"Increasingly, cyber threats originate outside of our borders. And as more people around the world gain access to computer technology, new dangers will surface," Mueller said. "The Internet has opened up thousands of new roads for each of us--new ideas and information, new sights and sounds, new people and places. But the invaders--those whose intent is not enlightenment, but exploitation and extremism--are marching right down those same roads to attack us in multiple ways."
By Brian Krebs |
November 7, 2007; 12:31 PM ET
Fraud
,
Latest Warnings
,
Misc.
,
Safety Tips
,
U.S. Government
Previous: Salesforce.com Acknowledges Data Loss |
Next: Patch Tuesday Preview, And a Windows Warning
Posted by: FredA | November 7, 2007 2:04 PM
Heh! Sunlight is the best disinfectant!
Score one for the good guys! Stay on the offensive is a creed to live by these days!
Thanks Brian!
Posted by: TJ | November 7, 2007 3:16 PM
Some of the large players have been identified, Polyakov comes to mind immediately but most of them have protection from corrupt governments in the former communist countries where organized crime and politics blended well for decades and have become even more powerful after the fall of communism.
Posted by: R.Flem | November 7, 2007 3:29 PM
I think you hurt their feelings, Brian.
Posted by: Rick | November 7, 2007 11:55 PM
@TJ:
They're regrouping. Too many networks are blocking their IPs.
Posted by: Rick | November 8, 2007 12:03 AM
there is one positive thing about them moving to china, those guys have different type of way dealing with crime that makes them look bad, death penalty ;)
tricky part would be to somehow make the chinese to react.
Posted by: me | November 8, 2007 5:28 AM
Excellent story.
It is a shame that it requires a sotry like this though for a company like Tiscali (one of the biggest ISPs in Europe) to stop routing traffic to them. They must have known about this lot months / years ago.
Begs the question, how many more RBN's are there out there....
Posted by: Matthew | November 8, 2007 10:30 AM
Good job, Brian. The way these groups like the RBN go down and away is through notoriety such as the stories you ran. National and international news outlets should be encouraged to continue to publish the groups that are abusing the Internet to put pressure on the world leaders to in turn pressure this cyber slime/crime much the way local papers publish local crime on police blotters. This way, the ethical hackers and law enforcement can go after them. Is the person who claims to be a representative of RBN who went by the name of Tim Jaret in jail? Otherwise, he'll be setting up shop somewhere else in the world. Mr. Jaret vehemently denied the charges and claimed the critics were xenophobic. The term, xenophobic, is typically used to describe fear or dislike of foreigners or in general of people different from one's self. If that word encompasses me being a critic and fearing kiddy porn pushers and con-artists. He's right; I'm that.
Posted by: Mike B | November 8, 2007 12:26 PM
Moving to China means that nothing will be done by the Chinese. As many of us block all email from China theres no great problems here for those in the know.
Posted by: S West | November 9, 2007 4:52 PM
Is is a coincidence that the RBN went dark about the time of the arrests here?
http://www.manhattanda.org/whatsnew/press/2007-11-07.html
The RBN has ties to 555 Eighth ave as shown here
Posted by: Moike | November 10, 2007 7:52 AM
FYI...
- http://www.theregister.co.uk/2007/11/13/rbn_quits_china/
13 November 2007 - "Infamous cybercrime hosting outfit Russian Business Network (RBN) has disappeared again, days after quitting Russia and setting up shop in China. RBN obtained seven net blocks of Chinese IP addresses. Last Wednesday (8 November), some of RBN's clients began popping up on some of the 5,120 IP addresses it had acquired. But a day later China cut the connection to six of the seven net blocks controlled by RBN, once again forcing it offline. Security researchers at VeriSign iDefense, who have kept a close eye on the cybercrime network's activities, reckon the organisation may break itself up into smaller parts in an effort to make its business less visible. The days of RBM as a monolithic organisation may be numbered. "[A break-up] may keep it under the radar, but it's also more expensive for them, and it's riskier, too, because the more ISPs that it has to deal with, the better the chance that one of those ISPs says 'no' to hosting RBN content and shuts them off," an iDefense analyst told Computerworld*..."
* http://www.computerworld.com.au/index.php/id;1151051570;fp;16;fpid;1;pf;1
.
Posted by: J. Warren | November 13, 2007 2:11 PM
The comments to this entry are closed.
Thanks for opening the window on those vermin!
Does anyone anywhere have a flow chart of the big players in cybercrime? If so, can publish it please?