Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uncooperative Russian ISP Prevents Cisco From Shutting Down Cybercriminal Gang

Posted by ryuzaki0 on from the money-is-involved dept.

An anonymous reader writes: Cisco's Talos research team has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware.

26 of 122 comments (clear)

  1. Block all traffic to/from Russia and China. by Anonymous Coward · · Score: 5, Insightful

    I'm pretty sure I would never even notice, and the internet would be a safer place.

    1. Re:Block all traffic to/from Russia and China. by MouseTheLuckyDog · · Score: 2, Funny

      Where is Donald Trump when you need him?

    2. Re:Block all traffic to/from Russia and China. by FatdogHaiku · · Score: 2, Funny

      Where is Donald Trump when you need him?

      Building a wall around the internet... it's gonna be Huuuuuge!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    3. Re:Block all traffic to/from Russia and China. by Anonymous Coward · · Score: 5, Interesting

      I run my own firewall and I actually did block, among some other areas, everything East from my country, including Russia. Whole of Asia, Africa, South America and Australia. The average attack attempts to my web servers dropped from hundreds per week to a couple per week. It's also really nice how you can block inbound and outbound or just inbound traffic.

    4. Re:Block all traffic to/from Russia and China. by qeveren · · Score: 2

      I'd miss all the insane dashcam and drunk Russian videos, though. :(

      --
      Don't just stand there, get that other dog!
    5. Re:Block all traffic to/from Russia and China. by Dahamma · · Score: 2

      I'd add: he's good at telling other people to build things with other people's money, so if the first other people screw up, the second other people are the ones losing their shirts, not him.

      That's the key to getting ultra-rich these days, especially in Wall Street - take a profit/bonus when things are good, let someone else take the loss when they are bad. Building something tangible along the way is incidental, and in fact usually just a distraction.

    6. Re:Block all traffic to/from Russia and China. by myowntrueself · · Score: 4, Interesting

      I run my own firewall and I actually did block, among some other areas, everything East from my country, including Russia. Whole of Asia, Africa, South America and Australia. The average attack attempts to my web servers dropped from hundreds per week to a couple per week. It's also really nice how you can block inbound and outbound or just inbound traffic.

      And yet you let through traffic from the USA? The number one source of internet attacks?

      http://www.statista.com/statis...

      --
      In the free world the media isn't government run; the government is media run.
    7. Re:Block all traffic to/from Russia and China. by myowntrueself · · Score: 2

      Irrelevant when his stats proved that his measures are what were needed.

      which the actual stats call into question

      --
      In the free world the media isn't government run; the government is media run.
  2. who made cisco police, judge, and jury? by sittingnut · · Score: 2, Insightful

    cisco is not responsible for policing the net, nor is it legally able to interpret law, and has no power whatsoever to enforce it. this seems to be pure vigilantism at best , and no different from actions of a criminal gang at worst.
    let legitimate law enforcement do their job following due process. if they are behind the times that a function of freedom and speed of progress.

    should any one trust cisco? same that allows and cooperates with the illegal surveillance by nsa etc?

     

  3. Web developers and website owners: by Anonymous Coward · · Score: 2

    Remember this when I leave your website or refuse to turn off my ad blockers.

  4. Holidays by Anonymous Coward · · Score: 4, Informative

    You won't find any Russian business that would respond to inquiries this week (with the exception of employees working from home even though they shouldn't). Reason: all Russians have official holidays that started on January 1 and will end on January 11.

    1. Re:Holidays by Jiro · · Score: 3, Informative

      TFA shows that researching the malware was done during the months of September and October 2015. It seems unlikely they would wait until New Years to contact the ISP.

  5. Adblock folks by Billly+Gates · · Score: 5, Insightful

    I tell everyone I know to use them.

    Advertisers either fix your shit or loose out? If you can't regulate yourselves in regards to 3rd party networks and ethical ads then you will be out of business.

    Fact of the matter is it is too dangerous to run without one. That should go right up there with browsing the net as administrator or root and using IE 6 these days.

    Also for those who say they are safe as long as they don't click or run anything, all I can say is told you so! Open a page with flash and your 0wned. Simple

    --
    http://saveie6.com/
  6. Come on by Hognoxious · · Score: 4, Funny

    Russia needs the money. Even the president can't afford a shirt.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  7. Good luck with that by mrsam · · Score: 4, Insightful

    Bet a hundred quatloos that this so-called "ISP" are the malware peddlers themselves. Either that, or they know fully well who their customers are, and they interpret Cisco's communications as nothing more than a request to shut down a well paying customer.

    This is not a unique phenomenon. This is a fairly common reaction to abuse and spam complaints. You want us to shut down a paying customer? Why would we want to do that?

    The key to effectively deal with network abuse is to make the responsible party understand that it's in their best interest to do that. Otherwise they stand to lose more than they are profiting from network abuse. As long as effective public email blacklist exist, network providers will have to reluctantly terminate their spambags, else their entire network gets blacklisted and they lose more, as their other, non-spamming pissed off customers flee to other providers, in order to be able to send mail.

    The same thing here. Presuming that this is a bone-fide provider, and not a sock puppet for the malware peddlers, the appropriate step of action is to escalate to their upstream, and attempt to get their cooperation, and have them agree to terminate the circuit to their rogue downstream provider, unless they get rid of the spamware peddlers. And keep escalating upstream, as far as necessary. Now, we're talking Cisco here, right? Well, it shouldn't take long before Cisco ends up talking to someone that uses their hardware in their core business. At this point, it's now going to be up to Cisco to put up and shut up, and inform their customer that unless this is dealt with, they will respectfully decline to renew their own customer's support contracts.

    Could this sequence of events actually come to fruition? Extremely unlikely, but this is the only way to effectively deal with network abuse.

    1. Re:Good luck with that by Da+w00t · · Score: 2

      Actually, a lot of them aren't paying customers. Well, they do pay, but with fraudulent credit cards, so the ISPs a lot of times are out a wad of cash.

      --

      da w00t. mtfnpy?
    2. Re:Good luck with that by N1AK · · Score: 2

      Of course yes, why the hell go throw the worries of having a legal system and legal forces to enact it when we can have some random vigilante telling apart what can and cannot be done.

      I let people into my house based on who I trust, recommendations from trusted sources etc. You might see that as random vigilantism but the government doesn't offer it, nor do I desire it to, provide recommendations on every individual. You don't have a legal right for your emails to reach me etc so why the hell would the legal system be the right place to decide whose emails I should accept.

    3. Re:Good luck with that by mrsam · · Score: 2

      Of course yes, why the hell go throw the worries of having a legal system and legal forces to enact it when we can have some random vigilante telling apart what can and cannot be done.

      This phenomenon is called "free speech", perhaps you've heard of it. Anyone is free to say, on their web site, whether a particular sender's email should be accepted or rejected, and why. And it goes without saying that everyone else is free to either agree, or disagree and continue to use their own internal policy for email acceptance or rejectance.

      I have found that these cries of vigilantism tend to come from those who have a peculiar belief that these so-called vigilantes have somehow hacked into million of email servers worldwide, hijacked them, and reconfigured them to reject email from the targets of those vigilantes' wrath. This is, of course, utter horseshit. The individual owners and operators of all those millions of email servers have specifically and intentionally configured their mail servers to follow the recommended mail acceptance policy of their chosen third-party blacklist. Nobody held a gun to their head, and forced them to do so. They own their email servers. They pay their electricity and bandwidth bills, and they have every right to configure them in whatever way makes them happy.

      And the so-called "legal system" is 100% behind them. Fortunately, at least in the Western world, private property rights still enjoy 100% backing of the legal system. I have never read of any legal decision, that survived an appeal, which forced the owner of the email server to accept or reject email from anyone they wish, for whatever reason pleases them, and on whatever it was based on. Quite the opposite -- there's actually established case law that determined that privately-owned Internet providers are free to blacklist anyone, and for any reason, which includes third-party blacklists, which I'll be happy to cite.

      That is the cold, hard truth: nobody has a civil right to email anyone, and every other privately-owned email server operator is free to refuse to accept email from anyone, for any reason. Whether it was due to their own decision, or by delegating this decision to a third-party blacklist. That delegation, after all, is still their own decision to make. Like I said, it is their email server, and they have full control of it. And it they decide to delegate some control over their email server to a third party, they are 100% within their rights to do so. And neither you, nor any other spamming parasite, can do anything about it.

  8. Re:Block their asses by Opportunist · · Score: 2

    What did Canada do to end up on that list?

    The only thing I can see in common in those three is that they consistently whoop the US's ass in ice hockey.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:Corruptionstan... by Thor+Ablestar · · Score: 3, Funny

    If you cannot contact an ISP, you can contact Roskomnadzor. If you cannot contact Roskomnadzor you always can contact a FSB (KGB) because it's FSB that ultimately manages our information security and is basically somehow immune to bribes. Especially if you are Cisco.

  10. Re:Bulletproof hosting by Thor+Ablestar · · Score: 2

    It does not matter what does it host, be it CP, Mein Kampf or just a botnet. It either cooperates with Roskomnadzor, FSB and Department R (Or maybe K, I cannot remember) in catching or at least suppression of criminals, or loses it's license.

  11. Email - or spam? by petes_PoV · · Score: 3, Insightful

    who didn't bother answering critical emails

    I don't answer critical emails either. However, if you send me nice ones, or polite ones I might even read them.

    You'd think that if this was something SERIOUS for Cisco, they'd at least bother to pick up the phone - maybe even go to the effort of finding someone who spoke russian. As it is, this outfit, like everyone else on the planet probably gets spammed senseless. Especially through public email addresses. Who can blame someone for ignoring emails from unsolicited sources?

    To sum up, this sounds like the lazy excuse of an indolent individual: Why haven't you done X? asks the boss. "Well I sent them an email, but they never replied" whines the guy who just wants to get back to playing Facebook.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  12. Re:There is a saying in Russia by Opportunist · · Score: 2

    It's heartwarming to see that Russia and the US share some traits at least.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Re:It's not their job to police their customers by Dahamma · · Score: 3

    Cisco would be better suing the ISP for the sites details, and then suing the site owners in the court.

    In Russian courts. Good luck with that. The hackers are probably protected and/or financed by the Russian mafia, which means they are effectively protected by the Russian government.

    They are better off convincing US or EU organizations the ISP is refusing to shut down known criminals, and getting the ISP blocked from Western countries/ISPs. Like most things of this nature, morality and politics are useless, it's only going to be fixed when it affects their wallet...

  14. 46.30.40.0/21 by Dynamoo · · Score: 2
    Curiously enough, I am just running an analysis of several thousand domains hosted by Eurobyte. My preliminary data on about 7500 domains currently or historically hosted by this block is that 35% of them are tagged by Google as being malicious in some way. I'm guessing that most of the others are also malicious, but they haven't been tagged.

    Eurobyte operate a fairly big block rented from Webazilla, which is 46.30.40.0/21.. and I recommend that you block traffic to that entire lot. But a lot of Webazilla's other customer are pretty shitty too. I don't think you miss much if you blocked traffic to the entire AS35415.

    --
    Never email donotemail@WeAreSpammers.com
  15. It's called bulletproof hosting by drolli · · Score: 2

    and nothing new. You pay a little premium not to be disconnected as soon as somebody sends a legal request. Not reacting to something like that is what their customer pays for.