I hope all have seen the article below, thanks to Verisign / iDefense (version from Economist) - at last a major has started to "do something" about these guys, at least inform. To all webmasters here, by any estimate the RBN are responsible for maybe 60% of exploits to "your" website. The more "we" all inform anyone we can get to the better.
ACCORDING to VeriSign, one of the world's largest internet security companies, RBN, an internet company based in Russia's second city, St Petersburg, is "the baddest of the bad". In a report seen by The Economist, VeriSign's investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.
In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not registered as a company; its senior figures are anonymous, known only by their nicknames. Its web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for customers. Those who want to use its services contact it via internet messaging services and pay with anonymous electronic cash.
But the menace it poses certainly exists. "RBN is a for-hire service catering to large-scale criminal operations," says the report. It hosts cybercriminals, ranging from spammers to phishers, bot-herders and all manner of other fraudsters and wrongdoers from the venal to the vicious. Just one big scam, called Rock Phish (where gullible internet users were tricked into entering personal financial information such as bank account details) made $150m last year, VeriSign estimates.
Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e- mails) to malware known as "Trojans" that sit inside a victim's computer collecting passwords and other sensitive information and sending them to their criminal masters.
A favorite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a program such as Corpse's Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. "Every major Trojan in the last year links to RBN" says a VeriSign sleuth.
RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank's security director belonged. RBN-based cybercriminals replied by crashing the bank's home- page for three days.
What can be done? VeriSign has tracked down the physical location of RBN's servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. "RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks," says VeriSign. The head of RBN goes under the internet alias "Flyman". Repeated e-mails to RBN's purported contact addresses asking for comment have gone unanswered.
Russian Business Network (RBN) - iFrame Cash and Layered Technologies; StopBadWare makes the difference!
According to a recent news article in net-security.org Todd Abrams, the CEO of Layered Technologies had released a statement in which he stated that the company's support database was a target of malicious activity on the evening of September 19th 2007. The incident may have involved the illegal downloading of information such as names, addresses, phone numbers, email addresses and server login details for up to 6,000 clients.
In an earleir post in StopBadWare there was a copy of the email to Layered Technologies abuse team, concerning their dedicated hosting of one of the Russian Business Network's (RBN) key "commercial" web enterprises ref: iFrame Injection Source? . Although there was never a reply to any email, but possibly with the added assistance of our bigger friends, they or the RBN obviously took action. This is seen by the change; on September 9th 2007 the change from 72.36.199.58 (USA- Layered Technologies Hosting) to 81.95.153.245 (Russian Federation - Aki Mon Telecom hosting - AKA "RBN"). For those who like the specific details see http://rbnexploit.blogspot.com.
It is reasonable to assume this attack on Layered Technologies was part of the RBN's normal procedure to wreak revenge upon those who try to rid themselves of the RBN's grip. This was just as they did to National Bank of Australia, the Bank of India, and many others.
Hopefully more web hosts will examine who they have as customers in the first place, rather than the value of the credit card?
On Sep 28, 7:10 pm, Jart <jart...@googlemail.com> wrote:
> I hope all have seen the article below, thanks to Verisign / iDefense > (version from Economist) - at last a major has started to "do > something" about these guys, at least inform. To all webmasters here, > by any estimate the RBN are responsible for maybe 60% of exploits to > "your" website. The more "we" all inform anyone we can get to the > better.
> ACCORDING to VeriSign, one of the world's largest internet security > companies, RBN, an internet company based in Russia's second city, St > Petersburg, is "the baddest of the bad". In a report seen by The > Economist, VeriSign's investigators unpick an extraordinary story of > blatant cybercrime that implies high-level political backing.
> In one sense, RBN (Russian Business Network) does not exist. It has no > legal identity; it is not registered as a company; its senior figures > are anonymous, known only by their nicknames. Its web sites are > registered at anonymous addresses with dummy e-mails. It does not > advertise for customers. Those who want to use its services contact it > via internet messaging services and pay with anonymous electronic > cash.
> But the menace it poses certainly exists. "RBN is a for-hire service > catering to large-scale criminal operations," says the report. It > hosts cybercriminals, ranging from spammers to phishers, bot-herders > and all manner of other fraudsters and wrongdoers from the venal to > the vicious. Just one big scam, called Rock Phish (where gullible > internet users were tricked into entering personal financial > information such as bank account details) made $150m last year, > VeriSign estimates.
> Despite the attention it is receiving from Western law enforcement > agencies, RBN is not on the run. Its users are becoming more > sophisticated, moving for example from simple phishing (using fake e- > mails) to malware known as "Trojans" that sit inside a victim's > computer collecting passwords and other sensitive information and > sending them to their criminal masters.
> A favorite trick is to by-pass the security settings of a victim's > browser by means of an extra piece of content injected into a > legitimate website. An unwary user enters his password or account > number into what looks like the usual box on his log-in page, and > within minutes a program such as Corpse's Nuclear Grabber, OrderGun > and Haxdoor has passed it to a criminal who can empty his bank > account. When VeriSign managed to hack into the RBN computer running > the scam, it found accumulated data representing 30,000 such > infections. "Every major Trojan in the last year links to RBN" says a > VeriSign sleuth.
> RBN even fights back. In October 2006, the National Bank of Australia > took active measures against Rock Phish, both directly and via a > national anti-phishing group to which the bank's security director > belonged. RBN-based cybercriminals replied by crashing the bank's home- > page for three days.
> What can be done? VeriSign has tracked down the physical location of > RBN's servers. But Western law enforcement officers have so far tried > in vain to get their Russian counterparts to pursue the investigation > vigorously. "RBN feel they are strongly politically protected. They > pay a huge amount of people. They know they are being watched. They > cover their tracks," says VeriSign. The head of RBN goes under the > internet alias "Flyman". Repeated e-mails to RBN's purported contact > addresses asking for comment have gone unanswered.
Every single webmaster should fight against this crap, you already know you can count on me to fight them, my site was hacked and I won't let it happen again!! NO!! NEVER!! they earn money by the worst way of doing it, just injecting their malware around... they won't get a cent out of my purse...
don't forget to post the list of "baddies" every one should ban for life from their sites! i'll do it straight away...you're info is always quite useful!
Fellow webmasters it appears another story unfolds concerning the RBN and US based hosting . All should read and includes a video of the recent and fascinating reports within CIO written by By Scott Berinato in conjunction with SecureWorks researcher Don Jackson was focused on the technical analysis of form-grabbing software, via access to 76service (dot)com. Subscribers to 76 service could log in, pull down the latest drops, i.e. data deposits from the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found containing more than 10,000 online credentials (ID theft) taken from 5,200 PCs.
76service (dot) com (66.232.122.239) and related, reveals a detailed hosting history and CBL / SBL blacklisting, but apparently is still currently hosted by "coolservecorp (dot) net" i.e. Noc4hosts Inc, with their servers stated as being in Lykes Building, Tampa, FL, USA.
Even more concerning is the fact that there are reports of website hacking, iFrame exploits and hijacking at these hosts, not quite reported yet on the scale of the recent iPower (10,000+ sites exploited) problem but significant and growing. However the potential "internal" target for the RBN here is staggering, if correlating the potentially "infectable" IP domains from AS29802, AS3595, and AS29802 is a total of 1,296,640 IP addresses.
Any reasonable conclusion again asks the question; are the RBN's "bullet proof" servers operating with apparent impunity from within large low cost shared and dedicated hosting services within the US at coolservecorp / Noc4Hosts, The Planet or similar?
<badwareaven...@gmail.com> wrote: > Every single webmaster should fight against this crap, you already > know you can count on me to fight them, my site was hacked and I won't > let it happen again!! NO!! NEVER!! they earn money by the worst way of > doing it, just injecting their malware around... they won't get a cent > out of my purse...
> don't forget to post the list of "baddies" every one should ban for > life from their sites! i'll do it straight away...you're info is > always quite useful!
In a continuation of the discovery of the Russian Business Network's (RBN) "Retail Division" (see http://rbnexploit.blogspot.com) one of the most important exploit delivery methods is the fake; anti-spyware and anti-malware for PC hijacking and personal ID theft. The blog article shows "The RBN's Top 20 - fakes" this detailed research was inspired by co-operation with another independent RBN researcher's blog http://ddanchev.blogspot.com/2007/10/russian-business-network.html .
For example, MalwareAlarm is dangerous fake anti-spyware software and it is an update version of Malware Wiper. MalwareAlarm is stealth based malware, according to McAfee's Site Advisor (http:// www.siteadvisor.com/sites/malwarealarm.com) they tested 279 "bad" downloads. The methodology is to get the user to use a "free download" to test their PC, MalwareAlarm then displays a warning message to purchase the paid version of MalwareAlarm, and of course the damage is done with the initial action. The user then "pays" $$$ to the RBN for more PC hijacking, ID theft exploits and ensures the PC user is enslaved!
If any think this must be a limited number of PC users being tricked into visiting these fake sites, think again. MalwareAlarm's web site has an Alexa rating of 8,201 about the same as jellyfish.com, an auction site recently acquired by Microsoft. As a sample according to Alexa (and their figures are pretty accurate) 40% of all visitors are from USA, and that 40% alone equals 2 million visitors + per month.
The good news, at least this discovery and being able to provide advice to the community, does show that even a few activist netizens can make a difference, maybe even help STOP?
Jart
On Oct 12, 9:10 am, Jart <jart...@googlemail.com> wrote:
> Fellow webmasters it appears another story unfolds concerning the RBN > and US based hosting . All should read and includes a video of the > recent and fascinating reports within CIO written by By Scott Berinato > in conjunction with SecureWorks researcher Don Jackson was focused on > the technical analysis of form-grabbing software, via access to > 76service (dot)com. Subscribers to 76 service could log in, pull down > the latest drops, i.e. data deposits from the Gozi-infected machines > they subscribed to sent to the servers, like the 3.3 GB one Jackson > had found containing more than 10,000 online credentials (ID theft) > taken from 5,200 PCs.
> 76service (dot) com (66.232.122.239) and related, reveals a detailed > hosting history and CBL / SBL blacklisting, but apparently is still > currently hosted by "coolservecorp (dot) net" i.e. Noc4hosts Inc, with > their servers stated as being in Lykes Building, Tampa, FL, USA.
> Even more concerning is the fact that there are reports of website > hacking, iFrame exploits and hijacking at these hosts, not quite > reported yet on the scale of the recent iPower (10,000+ sites > exploited) problem but significant and growing. However the potential > "internal" target for the RBN here is staggering, if correlating the > potentially "infectable" IP domains from AS29802, AS3595, and AS29802 > is a total of 1,296,640 IP addresses.
> Any reasonable conclusion again asks the question; are the RBN's > "bullet proof" servers operating with apparent impunity from within > large low cost shared and dedicated hosting services within the US at > coolservecorp / Noc4Hosts, The Planet or similar?
> <badwareaven...@gmail.com> wrote: > > Every single webmaster should fight against this crap, you already > > know you can count on me to fight them, my site was hacked and I won't > > let it happen again!! NO!! NEVER!! they earn money by the worst way of > > doing it, just injecting their malware around... they won't get a cent > > out of my purse...
> > don't forget to post the list of "baddies" every one should ban for > > life from their sites! i'll do it straight away...you're info is > > always quite useful!
|
