Fraud

Sanctuaries for Thieves

By Robert Lemos

In April, the Federal Trade Commission, the U.S. agency responsible for protecting consumers, approached a number of security experts looking to answer one question: Had a company known as Triple Fiber Network, or 3FN, become a haven for online crime?

The Shadowserver Foundation, a group of computer security whizzes who track cybercriminals' online activities, searched their database and found that more than 4,500 unique malicious programs used 3FN's servers as central command hubs. The data confirmed that 3FN provided a haven for cybercriminals to reach out to unsuspecting users and steal passwords, compromise their systems and send out spam.

"They were running botnet controllers for spamming and other malicious activity," says André DiMino, co-founder and director of the Shadowserver Foundation. "We had pretty good visibility into what they were doing."

In June, the FTC took legal action, getting a court order to shut down the company's Internet connections without first notifying its owners. Digital thieves who used the service to host the servers that managed their far-flung network of compromised computers, or bots, could no longer contact those systems. Botnets of hundreds of thousands of such systems, responsible for spamming millions of messages a day, suddenly fell quiet.

Yet, pinpointing and turning over the digital rocks under which cybercriminals hide only hinders their illegal activity for a short time, says DiMino. "Unfortunately, they are not going to go away," he says. "They are going to scatter."

Welcome to the world of online crime.

More efficient cybercrime
Like many other online business, cybercriminals look for easier and more efficient ways of operating. Some groups of software developers offer point-and-click programs that create the Trojan horses used to infect victims' systems with software that steals data or sends spam. Other cybercriminal enterprises push fake security software and pay so-called "affiliates" who fool consumers into installing the software.

Rogue online service providers, such as 3FN, offer a haven on the Internet for cyber gangs to host the central computers that manage their criminal enterprises. While, even five years ago, online thieves were creating their own ways to turn compromised computer systems into infrastructure for their illegal businesses, today, they are just as likely to look for a service provider that actively supports illegal activity, or at least will look the other way.

The Russian Business Network is the granddaddy of online hosting networks for criminals. Between 2004 and 2007, the group hosted the computers responsible for a hefty portion of online crime, including an online gang known among researchers as Rock Phish, which used RBN servers to help them reportedly steal nearly $150 million from bank accounts worldwide.

The company's servers -- and it was a company, based in St. Petersburg, Russia -- became the online lair of spammers, digital thieves and child pornographers.

"The Russians established themselves fairly early on in the spamming world, and they were pretty successful in keeping themselves in operation," said Joe Stewart, director of malware research at security firm SecureWorks. "The U.S. centric spammers had to shift their business model -- either comply with the CAN-SPAM Act or ship their operations to a spam provider -- and those are in Russia."

Yet, the Russian Business Network attracted too much attention. An article in The Washington Post resulted in increased pressure on the Russian government and on the service providers that routed Internet traffic to RBN. By late 2007, RBN's facilities were largely disconnected from the Internet.

Yet, the tactics, rather than stop the cybercrime, merely dispersed the activity.

Short-lived success
Many criminal enterprises moved to another provider, known as Atrivo. In September 2008, Atrivo's sole remaining connection to the Internet was cut off by its upstream provider. The takedown, as such tactics are called, had an immediate effect: Malicious activity from the infamous Storm Worm saw a dramatic decline, strongly suggesting that much of the botnets activity was managed from Atrivo's servers.

In November 2008, Internet service provider McColo, another haven for Internet criminal activity, lost its lifeline to the Internet. Spam volumes worldwide dropped by two-thirds overnight.

Such successes do not last, however.

"There was the takedown, there was an immediate drop in spam volume, and then it slowly built backup," says Mark Fossi, executive editor of Symantec's Internet Security Threat Report. "There are so many groups out there that as soon as you take one group down, another one fills the void."

Yet, law enforcement and security experts gained leads on other rogue Internet service providers. The investigation of McColo led federal investigators to link much of the malicious activity on that company's servers to Triple Fiber Network's facilities, when detectives tracking down the source of intrusions into computers at the nation's space agency, NASA, traced the malicious activity back to McColo's network. Following the takedown of McColo, the investigators found online chat logs in Russian on that company's servers. In some of the chat transcripts, managers at 3FN were offering their services to help would-be criminals set up and host their botnets.

When asked if 3FN could host the controller for a botnet of some 20,000 compromised computers, for example, the group's "senior product manager" confirmed it could.

"We can manage it," the manager stated, indicating that the client could expect to earn US$500 per day with such a botnet. E-mail messages sent to 3FN and its parent company Pricewert LLC requesting comment went unanswered.

In June 2009, following its investigation, the Federal Trade Commission convinced a federal judge to shutdown 3FN by forcing its upstream providers to disconnect it from the Internet. Similar to other takedowns, the Internet saw an immediate benefit: Spam from a particularly pernicious botnet, known as Cutwail, dropped to nearly zero for days.

As before, the decrease in criminal activity did not last and spam levels increased soon after. Yet, in every move in the cat-and-mouse game, law enforcement and the security community work more closely together.

"The objective is really to takedown enough of this bad activity so that it becomes more noticeable and for a longer period of time," said Symantec's Fossi. "Each takedown is a learning experience for the good guys."