An article in the October 13, 2007 Washington Post highlighted one of the worlds most well-known hosts for cybercrime, St. Petersburg-based Russian Business Network (RBN). Security experts estimate that RBN servers alone hosted about half of last years phishing activity worldwide. VeriSign dubbed RBN the baddest of the bad in June 2006, saying that a scan of its activity failed to identify any legitimate activity, and the ISP appeared to be totally dedicated to hosting criminals. Network security company Symantec similarly identified RBN as being responsible for a significant portion of the worlds cybercrime and profiteering.
RBN sells a service advertised as bulletproof web site hosting, which is designed to insulate web sites from attempts to eliminate them, to individuals engaged in criminal activity. For this work, RBN charges as much as ten times the standard market price for hosting services. Would-be customers must demonstrate that they are not undercover investigators or police, usually by providing a verifiable history of cybercrime.
An impressive array of incidents has been traced to RBN servers since computer security experts started tracking it around 2004. The author of the Washington Post article indicated in a blog posting that it is hard to find a major incident of cybercrime in the past several years that did not touch RBN servers at some point. A few of the more high-profile incidents include the following:
Summer of 2007, the Bank of India web site was found to have been infected by malware that exposed customers who were using unpatched Windows software to a dangerous trojan that could siphon private personal information. The attack was traced to RBN servers through unwitting intermediary servers. Read more
Mid-year 2006, thousands of sites maintained by the Florida web host HostGator were redirected to malicious RBN-based sites through a Microsoft Internet Explorer vulnerability related to Vector Markup Language (detailed in IntelliShield Alert 11738), which is used in the creation of 3D graphics. Read more
May of 2006, legitimate sites hosted by Phoenix-based IPOWER were hijacked by RBN-based servers and coerced to install malicious software on visitors systems. IPOWER was initially identified as the host of the malicious servers, which is not the kind of publicity any company wants.
Following the publication of the Washington Post article, an individual who claimed to represent RBN denied any wrongdoing in an interview with Wired magazine. He said that RBN had worked to address the complaints and had cooperated with Spamhaus, an international watchdog against Internet spammers, to shut down offending sites. Spamhaus, for its part, notes that all IP addresses hosted by RBN (more than 2,000) are included on its list of offending IPs that administrators should not trust.
RBN eludes prosecution by being hard to trace and by not engaging directly in illegal activity. RBN serves only as the host and is therefore technically not liable under Russian law. Moreover, RBN-hosted cybercriminals target victims outside Russia, making local complaints unlikely. Western law enforcement must work with Russian law enforcement officials, who to date have not been cooperative. RBN has no official web site and no street address, and the names of its owners have not been publicly identified. Symantec analysts indicate that RBN has links with Russian organized crime and may well have bribed government officials to avoid legal action. This model may prove to be replicable for other organizations, particularly in developing markets where regulatory infrastructure may be insufficient and law enforcement officials may be overworked, dishonest, or nonexistent.
By blocking all IP addresses that originate from RBN, at least one administrator at a United States ISP reported a major drop in phishing, spamming, and other network-based attacks against his customers, according to the author of the Washington Post article. However, even blocking RBN IP addresses is no guarantee against attacks because cybercriminals who use RBN servers increasingly appear to be routing traffic through intermediary servers to obscure the origin of the activity. With no legal help on the horizon, security administrators at a minimum should be aware that RBN exists, and may want to block IP addresses that originate at RBN servers. Lists of the IP addresses are available on the Internet on such sites as The Spamhaus Project or badmalweb.com.
The Washington Post article is available at the following link: Shadowy Russian Firm Seen as Conduit for Cybercrime
