This story was updated from an earlier version to clarify McColo's role in hosting of suspicious sites.
| Page 3 of 3 < |
Host of Internet Spam Groups Is Cut Off
|
TOOLBOX
   Resize
COMMENT
 Discussion Policy
 CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.
Who's Blogging  |
Researchers have found that on any given day, about half of all spam sent through the top botnets are ads for male enhancement products and other knockoff designer drugs, with a fair number of the online pharmacy sites linked in spam messages that were hosted at McColo.
Last month, the Federal Trade Commission convinced a U.S. district court to seize the assets of an international spam network selling counterfeit prescription drugs, a network Spamhaus identified as the largest "spam gang" in the world. The spammers allegedly used the Mega-D botnet, which is capable of sending 10 billion e-mail messages each day.
Jart Armin, a private security researcher who documented the activity at McColo in a report published today, said McColo is currently hosting at least 40 different child pornography Web sites or sites that collect payment for the illicit content -- and that traffic analysis showed that one of the sites garnered between 15,000 and 25,000 visitors each day.
Ian Amit, director of security research for Aladdin Knowledge Systems, an Israeli security intelligence firm, said cyber criminals have for many months used servers at McColo to manage Web sites that push out new versions of the "Torpig," or "Sinowal" Trojan horse program, which is widely considered one of the stealthiest and most sophisticated families of malicious software in existence today.
In October, RSA FraudAction Research Lab learned a single cyber crime group has used the Torpig Trojan to steal more than a half million bank, credit and debit card accounts from infected PCs over the past two-and-a-half years.
Amit said he found that recent Torpig attacks were being coordinated out of a Web server in Florida, which in turn was controlled by a VPN server running at McColo. Aladdin's findings were mirrored by those of researchers at iDefense, a security firm in Sterling, Va.
"We traced back the management connections, and found that the criminals were logged into the attack server in Florida using connections from McColo," Amit said.
Over the past year, media attention paid to Internet service providers and hosting companies that were profiting from cyber crime activity forced two of the most notorious networks underground or off the Web entirely.
Late last year, stories published by washingtonpost.com and elsewhere about criminal activity and child pornography at the St. Petersburg based Russian Business Network (RBN) caused the hosting company's upstream Internet providers to cease routing traffic for the company. The same thing happened in September, when upstream Internet providers pulled the plug on Northern California based Intercage following media reports about the level of cyber-crime activity emanating from its network.
But some security experts worry that if major Internet providers similarly shun McColo, it will only make the criminals and their activities harder to track and to block. Stewart, of SecureWorks, notes that in the case of the RBN, the company's clients didn't really go away, but instead simply dispersed their operations to less concentrated areas of the Internet.
"Everything will just be more spread out and harder to mitigate," Stewart said. "We rather like knowing where the bad activity is coming from, so protecting our networks is easier."
Jon Praed, founder of the Internet Law Group in Arlington, Va., and an attorney who has pursued spammers in cases filed by some of the nation's largest ISPs, said many security companies do not want safe havens to go away because it merely forces those companies to work harder to find the cyber-crime intelligence that powers their businesses. What's more, he said, if enough Internet providers begin severing ties with known sources of illegal activity, the cyber-criminal groups will be increasingly forced into a smaller number of areas on the Internet, ultimately increasing their costs and making them easier to isolate, identify and block.
"Good network providers are going to have to step up and separate themselves from these providers who are increasingly depedent on criminal operations," Praed said. "The fact that McColo, a virtual den of iniquity, is able to survive into 2008 in the United States is a willful sign that we haven't yet begun the job of driving these operations to places where we can begin to curtail their existence."
