About Me

Francois Paget

Francois Paget
Senior Threat Researcher

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

If RBN is dead, their customers are still alive

Friday, September 12, 2008 at 10:25am by Francois Paget
Francois Paget

After I read the Chris post on our blog that dissected the darksides domains, I wondered about the Russian Business Network and its state of health.

This year, the posts and white papers circulating on the web portray new protagonists like AbdAllah, Atrivo, Directi or EstDomains. Like their RBN senior branch, these Internet network providers are strongly suspected to protect many actors in the malware/phishing/fraud world.

In February 2008, a ShadowServer foundation document explained that many domains had moved from RBN to AIH (AbdAllah Internet Hizmetleri). Like me, many researchers saw here a revival of RBN. But as it is assumed by some French bloggers, it was only a migration from customers, from one bulletproof hoster to another.

2 weeks ago, in the last Jart Armin controversial paper, the St Petersburg entity was hardly mentioned. Various networks previously known as RBN bastions were listed as core component of the Atrivo California-based family of companies (you can read the Brian Krebs post to be convinced).

In October 2007, after the media got in the Russian ISP in the spotlights, their representative Tim Jaret forcefully denied the accusations. He said that his company investigated abuse complaints and took care of them if there was a violation of law. Now, Emil Kacperski, the Atrivo founder hands out the same message. He assures the company works very hard to clean up his image and respond to abuse reports and then proceed to any corrective action when necessary. But some people don’t believe them!

One thing is sure, each time a report discloses a lax ISP, many unscrupulous customers looking for discretion, cover or camouflage, are disrupted. As I said before, we have seen some of them moving to AbdAllah or Atrivo. I should not be surprised if they started searching for a new refuge! All the more probable that bad advertising arrived to the ears of many attentive backbone providers bring about Atrivo to lose peering from all sides. At least it is something!

Today several researchers announce the dissolution of RBN and with the Atrivo and Directi disclosures, we gave new kicks into the anthill. But all these criminals who pay for dedicated server and protection from takedowns due to abuse complaints are still busy. For that reason, the criminal business network is still living even if it changes sometimes in name and management.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (1)

  • knife September 12, 2008 12:44PM

    Good blog. Two comments. 1) Jart Armin is a complete idiot as is anyone who cites him. 2) The Tim Jaret commentary was a complete hoax by someone who thought it would be funny to see if reporters would check their credibility…and they didn’t.

    Reply