Sunday, October 14, 2007

RBN - iFrame Cash Update - The Enemy Within the Gates

A great article and associated blog articles on the Russian Business Network (RBN) from Brian Krebs in the Washington Post. However, the puzzle and a theory for a few of us has always has been, where are the RBN's; external communications, web site exploit, and ID theft divisions, let us call it the RBN retail division. These have to be outside their conventional Nevacon / RBNnetwork / Aki Mon, those are becoming well blocked on SBL XBL etc., thanks to Spamhaus et. al.

Despite what some researchers may think about domestic PCs, the logic for the RBN has to base these operations within accessible hosts. Also from inside any server it is much easier to use "Man-in-the-Middle" (MITM) techniques to exploit neighboring web sites and for personal ID theft. Where better than within a low cost US host that only cares about the credit card used for not what the web site does, and you have over 1 million web sites and their users to prey on?

So here is the "good news" - the RBN have moved some key domains as of today, and luckily every time they do this it reveals more of their bases. Below is just a sample of many, if you put them on the outside of the major hosting hubs, you will starve the main body.


"The Enemy Within the Gates" - all "within" major US hosts, also note every one has fictitious domain registrants and is breaking the TOS (terms of service) for hosting:


iframecash com = 38.97.225.135 = Hiding within Cogent Communications (DC, US) moved back onshore to the US from Aki Mon Telecom

iframecash net = 66.29.87.11 = Hiding within Net Access Corporation (NJ, US) - along with many (what look like) bank phishing domains

anonymous-service (dot) com = 67.19.24.170 = within ThePlanet com (US) & proxy registered via Global Net Access (US) - also key domains
adulthosting (dot) ru, aspmedia (dot) net, sexbomba (dot) ru. webmoney-hosting (dot) net

76service com = 66.232.122.239 = still within Noc4hosts Inc (FL, US) and proxy registered via Global Net Access - also key domains:
firstoceanicbank (dot) net, gamesboard (dot) ru, hydrometeocenter (dot) net, newpulses (dot) com, odeku (dot) net, putany (dot) net, sosnovsky (dot) net

If we can persuade these major US hosts / servers to act voluntarily and quickly, as we did with Layered Technologies (iframe cash com) then at least we could prevent a great deal of web site exploits from "within" the major US hosting servers.

Just to re-emphasize listed above provides RBN direct access to over 1 million web sites and their users.

No comments:

Post a Comment