Slashdot Mirror
Legitimate ISP a Cover-up For a Cybercrime Network
ezabi writes "TrendWatch, the malware research arm of TrendMicro, has posted a white paper titled 'A Cybercrime Hub' (PDF, summary here) describing the activities of an Estonian ISP acting as a cover-up for a large cybercrime network. It's involved with malware distribution and DNS hijacking, which leads to credit card fraud. The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies? Note that they are represented legitimately and are offering real services like any other internet company."
Look up the mafia and trash collection.
"As God is my witness, I thought turkeys could fly." A. Carlson
DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed. Then there's not really much the can do, besides just dropping all your connections.
Use common sense!
Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...
Anywho, this is kind of scary, but not in an internet-scary kind of way, but instead in a crime can be all around you kind of way. Imagine if a restaurant was a front for a crime hub, i.e. skimming credit card and checking info, they would have access to people's financials, but in a much more limited sense. Although it would be interesting if the ISP didn't skim from it's own customers, but instead used them to poison dns stuff and the like. "Install our connection software! Welcome to our botnet, live long and prosper!"
Man in the middle attacks have a classic solution: Encryption and non-repudiation in the authentication protocols. Encrypt everything between the client and server (as IPv6 allows for) and the amount of damage a rogue ISP can do (or any peer point) is greatly reduced.
#fuckbeta #iamslashdot #dicemustdie
Did you even read the whitepaper?
The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States
For instance, a Web developer who
joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as video codecs and file compression software.
The whitepaper is totally different than you tried to portray, even in the first page. Your post is obviously an attempt at a coverup, presuming most people won't read the PDF.
And the summary is also totally different. It tries to make it sound like this is some credit card fraud operation or they're having huge botnets, while in fact it is a normal adware company which follows Estonian laws.
It appears to be a normal adware company which follows Estonian laws and is very quick with the astroturf...
So it is allowed by Estonian laws to install trojans on the computers of unsuspecting victims, to redirect accesses to legitimate sites through DNS redirection to unrelated sites, to claim bogus virus infection on fake versions of legitimate sites and offer expensive fake "antivirus" software as "cure"?
The Tao of math: The numbers you can count are not the real numbers.
Why do you think the 50+ people published their jobs in portfolio, are acting all open and have PR persons if it was all illegal operation? That would be just stupid. The actual news here is how antivirus companies are doing promotion for themself this way. This is just marketing at the cost of other people who work legitly. Adware is still legit business when done according to laws, even if people hate it.
From a US perspective: without network neutrality, this is all legal.
Page 8 of the PDF shows CNN.COM with an advertisement replaced. What stops them from replacing the content of the articles? Page 10 shows how they hacked Google results. What keeps them from changing those results to filter articles on politics, religion, gender issues, laws...
Yes adware is bad too, but its legal and calling adware companies cybercriminals is going to bring some lawsuits.
Others have adressed the actual legality, but I want to adress this anyway. I don't think we should refrain from calling bad guys "bad." Whether or not some asshole skates around laws faster than Estonia can make them (or outright bribes/lobbies lawmakers to keep what he's doing legal), or whether or not a particular asshole gets litigious for calling him an asshole, they're still an asshole. In fact, they're even bigger assholes if they bend laws and sue over it.
When such advertising includes blatant fraud, it is illegal in any civilized country.
The right to protest the State is more sacred than the State.
Give me a break! Frankly, I'm not sure why they've even bothered to obscure the identity of the company concerned since it's pretty much obvious to anyone who follows IT security news that they are talking about EstDomains and Vladimir Tsastsin. Try punching those into Google or whatever and you'll see this goes way beyond being just an "adware company".
UNIX? They're not even circumcised! Savages!
I though "legitimate business" and "front for crime syndicate" were mutually exclusive.
I find the use of a good filtered DNS service that blacklists malware URL's upon discovery goes a long way towards limiting my exposure to this.
Open DNS or Scrub IT works well. The only down side is they are often the target of DOS attacks, so their uptimes are limited. Be prepared to switch DNS settings when the "Internet" goes down. Most of my frequent sites, I keep in my local hosts file, so even if DNS goes down or DNS is hijacked, the link to my banking is still valid.
Ruining as a normal user I can't be tricked into editing my hosts file. I don't have the privileges.
Links;
Open DNS http://www.opendns.com/
ScrubIT http://www.scrubit.com/
The truth shall set you free!
First: I'm estonian and maybe not objective. But, in my opinion, this "research" are little bit inflammatory. I don't count, but if every third word is "Estonian" or "Estonia" or "Tartu", then this looks like "oww, look those foreign, maybe russian, cybercriminals!". Anyway, this is old and dead horse, what gets beaten, this infamous estdomains a.k.a Rove Digital (if anybody want proof, look Figure 1 in pdf and compare rovedigital.com). This article tries make impression, how in estonia this ISP is legal or somewhat "known and normal" business. In fact, i never heard about those guys before first scandals and court case, i afraid they don't have much business (legal or other kind) in Estonia.
I for one welcome our new Cybercriminal Tartu Overlords ...
(Especially since they have to within a 3 mile radius from me, being in Tartu as well)
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
AC was probably illegitimate so he probably can't recognize a legitimate business. It also sounds like AC might have been an investor or an officer in the company. LMAOA
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
This is a perfect example of what kind of great "innovations" happen when you have Big Gubment stand aside and let the Free Market do whatever it wants.
It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering.
_____________________________________
If you happen to be Tsastsin's wife, I can understand that you'd like to stick up for his "good name". Maybe you feel that you need to do so, for the kids.
But, the bastard is a criminal bastard. Your astroturfing won't change the fact.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
What security measures should be taken to prevent normal users from falling victim to such malicious bodies?
I think a massive DOS attack will teach these Estonian bastards! Oh wait..
http://www.rovedigital.com/
OpenDNS has yet to have a service outage. Their massive redundancy has prevented that from happening thus far. BTW, I'm not associated with them in any way, other than being a happy user.
This all resolves to a complete lack of accountability. The IANA requires that site owners respond to abuse e-mails but then who checks the ISP? Or what if the ISP doesn't care because they are makign revenue of the hackers? Much less this case where the ISP is the hacker! The IANA needs a protocol for revoking the IP ranges of any ISP that allows abuse OR does not respond to abuse. Currently, there is no reasonable method an abuser if their ISP is unwilling to act and no method for forcing the ISP to act. All a malicious user has to do is stand behind a non-responsive ISP...
Hey, look, AC just started his philosophy class!
Your argument would be better applied to a more complex case of right vs wrong, such as more legitimate online advertisers. But we're not talking about that, these people are scum. Furthermore, this is /. where the general consensus is that adware and the people who make it are scum. Adressing the morality of adware would be preaching to the choir and would be beside the point. Lastly, I did NOT claim it was fact. Was it not obvious enough this is my opinion? If you're worried that people might read that and confuse it with fact, rest assured that such people are incapable of plugging a computer into the wall, and would not be reading it.
It's involved with malware distribution and DNS hijacking, which leads to credit card fraud.
I did find it funny that they say this; just because it's *possible* doesn't mean they'd do such. Surprisingly Comcast and other ISP's have been starting to do dns hijacking, so does it mean they are doing credit card fraud?
Comcast and other ISPs have been doing NX-record hijacking, not straight-up DNS hijacking. While NX-record hijacking is a bad practice because of problems it causes with other networking practices, it is not malicious. NX-record hijacking is where an address cannot be found, so they reply with a search site to help the user. DNS hijacking normally refers to hijacking requests for valid domains and pointing them to their own servers. This can lead to phishing sites that appear to be a valid domain.
Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
Authentication protocols like PKI that use encryption would make many sources of malware unambiguous. The pretty much leaves email and discs as the only malware carriers that are hard to track.
Are you being treated for some condition that we should know about?
I totally came in here expecting this to be about Comcast. I feel like I'm being robbed every month when I pay my bill.
Certainly most of the employees wouldn't know that their actual work is used to serve illegitimate activities, otherwise they wouldn't include it in their CV's, how would a web developer know that the site he's working on is promoting a fake product, if you look for more details of the activity elsewhere you would find that these peoples' ultimate goal was to drive users to a form where they would gladly submit their personal and credit card details, TrendWatch wouldn't clearly explain such activities in its white paper for obvious reasons.
Security professionals would understand the meaning behind the attack.
So long and thanks for all the fish
i run a p3 700mhz,512mb ram box with dnsmasq and a proper hosts file on said server. I have a comcast connection, but i believe comcast isn't filtering nx records in florida yet?
DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed.
Actually, once the bad guys have installed malware on your PC, it's pretty much game over. DNSSEC won't help you, and SSL won't help you: they are designed to thwart man-in-the-middle attacks, not man-in-the-endpoint attacks. If your PC is compromised, the DLL that performs DNSSEC or SSL verification can also be compromised. We don't really have a security model to deal with man-in-the-endpoint attacks, other than things like two-factor (or n-factor) authentication which work because one of the two (or n) communications channels isn't compromised by the bad guys.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
We're the USA. Why don't we just bomb Estonia?
We've bombed a lot of countries for a heck of a lot less.
I didn't know that- but I agree it is pointless to cover it up unless it was done for PR reasons. The content of the pages in the screen shots are unique so searching for them with Google or any other search engine will bring up the sites. It's pretty easy to find out blued names even if you don't follow IT security news.
For those interrested check out some info about the RBN (Russian Business Network) which was organized around an ISP in St. Petersburg, this was a really big operation.
This report lacks some detailled information about the ISP, eg which AS are involved, etc, so one can just react and put them into a DROP List or do an AS-Path finltering. If its an ISP with known AS, you (your ISP) can react.
I was just wondering in Figure 6 of the PDF where is step 5?