By Brian Krebs
washingtonpost.com Staff Writer
Saturday, October 13, 2007
An Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft, according to computer security experts. They say Russian authorities have provided little help in efforts to shut down the company.
The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say.
Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of "phishing" -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites.
One group of phishers, known as the Rock Group, used the company's network to steal about $150 million from bank accounts last year, according to a report by VeriSign of Mountain View, Calif., one of the world's largest Internet security firms.
In another recent report, the Cupertino, Calif.-based security firm Symantec said that the Russian Business Network is responsible for hosting Web sites that carry out a major portion of the world's cybercrime and profiteering.
The company "is literally a shelter for all illegal activities, be it child pornography, online scams, piracy or other illicit operations," Symantec analysts wrote in a report. "It is alleged that this organized cyber crime syndicate has strong links with the Russian criminal underground as well as the government, probably accomplished by bribing officials."
The Russian Business Network did not respond to requests for comment e-mailed to an address listed on its Internet address records. Other efforts to communicate with its organizers through third parties were not successful.
Law enforcement agencies say these kinds of Internet companies are able to thrive in countries where the rule of law is poorly established. "It is clear that organized cybercrime has taken root in countries that don't have response mechanisms, laws, infrastructure and investigative support set up to respond to the threat quickly," said Ronald K. Noble, secretary general of Interpol, an organization that facilitates transnational law enforcement cooperation. He declined to discuss the Russian Business Network specifically.
The company isn't a mainstream Internet service provider, as Comcast and Verizon are. Rather, it specializes in offering Web sites that will remain reachable on the Internet regardless of efforts to shut them down by law enforcement officials -- so-called bulletproof hosting.
Though there are thousands of Web sites that bear the Russian Business Network name on registration records, the company is unchartered and has no legal identity, computer security firms say.
The network has no official Web site of its own; those who want to buy its services must contact its operators via instant-messaging services or obscure, Russian-language online forums, said Don Jackson, a researcher at Atlanta-based SecureWorks.
Potential customers also must prove that they are not law enforcement investigators pretending to be criminals, Jackson said. Most often, he said, this "proof" takes the form of demonstrating active involvement in the theft of consumers' financial and personal data.
According to VeriSign, a cyber-criminal who clears these hurdles can rent a dedicated Web site from the Russian Business Network for about $600 a month, or roughly 10 times the monthly fee for a regular dedicated Web site at most legitimate Internet companies.
According to several private-sector security experts, U.S. federal law enforcement agencies have tried unsuccessfully to gain the cooperation of Russian officials in arresting the individuals behind the company and shutting it down.
Officials at Russia's Interior Ministry said last week that they could not discuss the network.
But Alexander Gostev, an analyst with Kaspersky Lab, a Russian antivirus and computer security firm, said the Russian Business Network has structured itself in ways that make prosecution difficult.
"They make money on the services they provide," he said -- the illegal activities are all carried out by groups that buy hosting services. "That's the main problem, because RBN, in fact, does not violate the law. From a legal point of view, they are clean."
In addition, Gostev said, criminals using the Russian Business Network tend to target non-Russian companies and consumers rather than Russians, who might contact local authorities. "In order to start an investigation, there should be a complaint from a victim. If your computer was infected, you should go to the police and write a complaint and then they can launch an investigation," Gostev said. Now, he added, his company and the police both have information, but no victim has filed a complaint.
Thomas V. Fuentes, the FBI's assistant director of international operations, declined to answer questions about the Russian Business Network but said the United States has had great success with other countries in investigating cybercrime.
Fuentes added that his agency's requests for law enforcement assistance from foreign governments sometimes conflict with domestic intelligence investigations that may be underway.
"There are times when it appears that action is not happening when in fact the other country is conducting a very sensitive investigation, and we have to take it on the chin," he said. "But that works both ways. That happens with us for requests we sometimes receive where we'd rather not go public with certain information at the time of the request."
Without a diplomatic or legal solution to the Russian Business Network, some Internet service providers have begun walling off their customers from the company.
One security administrator, speaking on condition of anonymity, said that within a few months of blocking the Russian company, his employer found it was saving significant amounts of money by spending less time helping customers clean viruses originating from the Russian Business Network off computers or taking down online scam sites or spam-spewing PCs. "Our instances of spam and infected machines dropped exponentially," he said.
Danny McPherson, chief research officer at Arbor Networks, a Lexington, Mass.-based company that provides network security services to some of the world's largest Internet providers, said most providers shy away from blocking whole networks. Instead, they choose to temporarily block specific problem sites.
"Who decides what the acceptable threshold is for stopping connectivity to an entire network? Also, if you're an AT&T or Verizon and you block access to a sizable portion of the Internet, it's very likely that some consumer rights advocacy group is going to come after you."
The unusually clear-cut case of Russian Business Network, McPherson said, has generated debate between the service providers and the security research community. Many researchers see blocking purely illegal networks as a no-brainer. But blocking problematic networks typically means they merely go to a new place on the Internet, McPherson said.
"At the end of the day," he said, "it only moves the problem somewhere else, when what we really need is for political and regulatory law enforcement to step in."
Growing numbers of security specialists for several U.S. Internet providers and telecommunications companies say they are done waiting for the cavalry to arrive. "There is never going to be an easy and painless way to combat this problem, mainly because it's been ignored for far too long and been allowed to fester," said the security administrator who did not want to be identified.