The Russian Business Network – a group of Russian cybercriminals who some blame for 60% of all internet crime – appears to have gone to ground. But, asks Peter Warren, has it really disappeared?
A curious game of cat and mouse is being played out on the internet, as high-tech hunters close in on a group of Russian cybercriminals known as the Russian Business Network, or in the acronyms so beloved of thriller writers, the RBN.
Indeed, in scenes reminiscent of Cold War hunts for Russian submarines, the chase started a week ago when the RBN – a Russian ISP alleged to be behind much of today’s web crime – slipped its internet moorings in the Baltic coastal city of St Petersburg and made for servers in China.
But the Russian cybercriminals attempts nine days ago to hide in China behind a hastily formed Italian front company failed.
Only a day after setting up in its new home, the sites run by the RBN – which specialises in identity theft, denial of service, phishing, computer extortion and child pornography – vanished from the web. Since then sightings have been few and far between.
But does that mean the RBN has gone?
And does it matter?
Showing on the radar
According to experts from Team Cymru, a research group specialising in internet crime, the Russian cybercriminals are linked to around 60% of all cybercrime. But recently the RBN started to attract some unwelcome attention from bloggers and the US media, forcing it to try to vanish from view.
“The RBN’s notorious IP blocks [of web addresses] in Russia are still gone, but we see other things popping up elsewhere around the world which we believe may be related to their efforts to relocate their ‘services’,” says Paul Ferguson of computer security company Trend Micro.
“It is still too early to make any determinations with any certainty – we believe they are diversifying their operations to better hide. I don’t expect them to suddenly reappear and be easily tracked.”
Russian underworld
But now there is almost a spin-off industry tracking RBN – such as the blog at rbnexploit.blogspot.com, which details sites used by the RBN and its exploits, and it and a host of vigilantes are now dogging the group’s footsteps.
On the face of it the Russian Business Network, launched by young computer science graduates, sounds like any other high-tech company offering web hosting and other services. In the US, young entrepreneurs from similar backgrounds launched Google and eBay. But the RBN is a little darker.
Go onto Russian underworld servers and you enter an emporium of crime, with lists of looted documents, stolen identities and hijacked computers already assembled into botnets (see Rise of the botnets, below), with almost all of it linked in some way to RBN. “We scanned its entire netblock [of internet addresses registered to the company] and we did not find one legitimate business,” says one researcher. Yet RBN was founded and is run by techies, not career criminals.
The slide into crime
“For a lot of the Russian techies [crime] became very lucrative,” says Dr Mark Galeotti, director of the Organised Russian and Eurasian Crime Research Unit at Keele University. “They began to recruit top graduates from universities who could earn 10 times what they would get in Russia and twice what they would get in the west.”
According to internet security company Verisign, which in June published an extensive investigation into the Russian cybercriminals (tinyurl.com/ywvgpg), RBN was registered as an internet site in 2006.
Initially, much of its activity was legitimate. But appparently the founders soon discovered that it was more profitable to host illegitimate activities and started hiring its services to criminals. Verisign says simply that it is now “entirely illegal”. Since then its activities have been monitored by a number of organisations, including the London-based anti-spam group Spamhaus.
“RBN is among the world’s worst spammer, child-pornography, malware, phishing and cybercrime hosting networks,” says a spokesman. “It provides ‘bulletproof’ hosting, but is probably involved in the crime too.”
Infected PCs for hire
Bulletproof hosting is hosting that cannot be taken down, but it comes at a cost – “around £300 a month, 10 times the normal market price, which makes them unattractive to normal businesses,” says Bradley Anstis of the computer security company Marshal Ltd.
There’s a whole economy within. Want to buy 1,000 software uploads for a UK website that will infect the computers of those visiting? They will cost around $380 (£160) – 38 cents each. But then you can rent those infected computers – known as bots – to third parties for 13 cents a day.
Frequently, the spam emails sent out for the fake bank and financial services sites involved in phishing point back to RBN servers. And data culled from phishing attacks and IDs stolen from compromised computers are sent to RBN drop sites, as are stolen documents, which are stored ready for sale.
The RBN also offers a safe haven for the intellectual property of cybercriminals – the spyware, trojans and botnet command and control systems. For a fee, allegedly, it will also launder money.
Indeed, what is striking is its sheer professionalism. “You now see people stressing that for $200 an hour you will get a good, reliably hosted botnet,” says Maksym Schipka of Messagelabs, which monitors spam traffic. “When they are renting you bots they advertise the fact that they are checked every five minutes and that the network is 99% reliable.”
The RBN allows cybercriminals time to work on their products without having to worry about getting their doors kicked down. But in Russia, that almost certainly needs some sort of political protection.
Political links
It is thought that the RBN’s leader and creator, a 24-year-old known as Flyman, is the nephew of a powerful and well-connected Russian politician. Flyman is alleged to have turned the RBN towards its criminal market.
But the recent publicity could threaten their position; clients whose past activities have attracted attention have been made to pay for it in increased fees.
The RBN has also sought to mask its activities behind a web of other companies, and has been trying to play down its Russian links, but is hampered by its own brand name. “They’re probably now kicking themselves for calling themselves ‘Russian’,” Galeotti says.
A spokesman for the Russian Embassy at first denied any knowledge of the RBN, then suggested that the Russian cybercriminals were actually based in England.
“There is not much concern among the Russian police about RBN,” says a researcher from Verisign. “Hackers are bad-arse freedom fighters who are putting it to fat westerners with too much money, and that’s not seen as a bad thing.”
As the Verisign report wearily concludes: “Undoubtedly, barring some major international law enforcement effort, this trend [to illegal activity] is likely to continue indefinitely.” But whatever made RBN vanish, it wasn’t a legal crackdown.
