standin
06-05-2009, 02:43 PM
FTC persuades court to shutter rogue ISP
Robert Lemos, SecurityFocus 2009-06-05
A federal district court in San Jose shut down an alleged rogue Internet service provider, after the Federal Trade Commission documented the ISP's cooperation with online criminals and child pornographers, the agency announced on Thursday.
The takedown of the Internet service provider, Triple Fiber Network, comes after a months-long investigation by the FTC in collaboration with other government agencies and industry. The court ordered the ISP's upstream providers on Tuesday to disconnect Triple Fiber Network from their systems, cutting it off from the Internet, without notifying the company.
The FTC's complaint (http://www.ftc.gov/opa/2009/06/3fn.shtm)against Triple Fiber Network, and it's Belize-based parent company Pricewert LLC, states that the ISP hosted little legitimate content, instead selling its services to botnet operators, phishing scammers, and child pornographers.
“ These guys operate under a rock, and when you turn over the rock, they are not just going to go away ... they are going to scatter. ”André DiMino, co-founder and director, Shadowserver Foundation
The takedown is an unprecedented move by the FTC and marks an escalation of the government and security community's investigations of the Internet service providers that facilitate online crime. Last September, the upstream providers of rogue ISP Atrivo cut off the rogue ISP from the Internet (http://voices.washingtonpost.com/securityfix/2008/09/internet_shuns_us_based_isp_am.html), after security researchers offered up significant evidence of the company's wrongdoing. Two months later, the scenario repeated: This time, upstream providers for rogue ISP McColo cut off the haven for online criminals (http://www.securityfocus.com/brief/855) after reporter Brian Krebs documented evidence against the company. The volume of spam on the Internet immediately dropped to a third (http://www.securityfocus.com/brief/938)of its previous levels, and it took almost a half year for online scammers to recover.
"Pricewert is fully aware that it it hosting huge volumes of illegal, malicious, and harmful content," the FTC argue in its complaint filed with the court. "Moreover, Pricewert actively shields its criminal clientele by either ignoring takedown requests issued by the online security community or shifting its criminal clients to other Internet protocol addresses controlled by Pricewert so that they may evade detection."
The latest takedown came after an in-depth investigation of Triple Fiber Network by the Federal Trade Commission, which brought in experts from NASA's Office of Inspector General, the National Center for Missing and Exploited Children, and researchers at the University of Alabama, the Shadowserver Foundation, the Spamhaus Project, and Symantec, the owner of SecurityFocus.
"It is groundbreaking that the FTC would present and package such a good case for the takedown," said André DiMino, co-founder and director of the Shadowserver Foundation. "They did their homework."
The FTC approached DiMino in April to help document the amount of malicious activity originating from IP addresses belonging to Triple Fiber Network. DiMino found that the company — which also uses the names 3FN, APS Telecom, APX Telecom, and APS Communications — hosted the command-and-control servers for more than 4,576 unique malicious software programs. In addition, more than 311 unique IP addresses owned by 3FN were involved in malicious activity, according to Shadowserver's database.
The ISP hosted the command-and-control servers for the Cutwail botnet, among others, according the security firm Symantec. The security company found more than 600 IP addresses controlled by 3FN that were also launching attacks.
"The attacks we saw ran the gauntlet," said Vincent Weafer, vice president of Symantec's Security Response group. "A lot of attack activity, a lot of denial-of-service attacks, and botnet activity."
A NASA special agent, Sean Zadig, initially traced the malicious activity to 3FN during an investigation into attacks on the U.S. space administration's networks. The trail initially led to servers owned by McColo, the rogue Internet service provider taken down in November 2008. Zadig received a search warrant for the contents of McColo's servers and found connections between McColo and 3FN, including ICQ message logs f conversations in Russian between customers and the owners of two 3FN accounts, labeled "Head of Programming Department" and "Senior Project Manager".
In one exchange, documented in the court filing, a customer asks 3FN's Senior Project Manager whether they can host a botnet of 20,000 compromised computers aimed at committing click fraud.
"Well, we can manage it," 3FN's Senior Project Manager stated. "To earn 500 USD per day you need to have 20 000 clicks approx."
SecurityFocus requested an interview with Pricewert through e-mail, but the company did not reply. A call to a number listed in several press releases was answered by a man with an Eastern European accent, who stated that the company would not provide comment.
Both Symantec's Weafer and Shadowserver's DiMino predicted far less of an impact from the takedown than what had been witnessed when McColo was disconnected form the Internet. The scammers and online criminals that use rogue ISPs likely learned not to rely on any single hosting provider, DiMino said.
"These guys operate under a rock, and when you turn over the rock, they are not just going to go away," he said. "Unfortunately, they're not going away — they are going to scatter."
If you have tips or insights on this topic, please contact SecurityFocus. (news-editor@securityfocus.com)
FTC persuades court to shutter rogue ISP (http://www.securityfocus.com/news/11552/1)
Robert Lemos, SecurityFocus 2009-06-05
A federal district court in San Jose shut down an alleged rogue Internet service provider, after the Federal Trade Commission documented the ISP's cooperation with online criminals and child pornographers, the agency announced on Thursday.
The takedown of the Internet service provider, Triple Fiber Network, comes after a months-long investigation by the FTC in collaboration with other government agencies and industry. The court ordered the ISP's upstream providers on Tuesday to disconnect Triple Fiber Network from their systems, cutting it off from the Internet, without notifying the company.
The FTC's complaint (http://www.ftc.gov/opa/2009/06/3fn.shtm)against Triple Fiber Network, and it's Belize-based parent company Pricewert LLC, states that the ISP hosted little legitimate content, instead selling its services to botnet operators, phishing scammers, and child pornographers.
“ These guys operate under a rock, and when you turn over the rock, they are not just going to go away ... they are going to scatter. ”André DiMino, co-founder and director, Shadowserver Foundation
The takedown is an unprecedented move by the FTC and marks an escalation of the government and security community's investigations of the Internet service providers that facilitate online crime. Last September, the upstream providers of rogue ISP Atrivo cut off the rogue ISP from the Internet (http://voices.washingtonpost.com/securityfix/2008/09/internet_shuns_us_based_isp_am.html), after security researchers offered up significant evidence of the company's wrongdoing. Two months later, the scenario repeated: This time, upstream providers for rogue ISP McColo cut off the haven for online criminals (http://www.securityfocus.com/brief/855) after reporter Brian Krebs documented evidence against the company. The volume of spam on the Internet immediately dropped to a third (http://www.securityfocus.com/brief/938)of its previous levels, and it took almost a half year for online scammers to recover.
"Pricewert is fully aware that it it hosting huge volumes of illegal, malicious, and harmful content," the FTC argue in its complaint filed with the court. "Moreover, Pricewert actively shields its criminal clientele by either ignoring takedown requests issued by the online security community or shifting its criminal clients to other Internet protocol addresses controlled by Pricewert so that they may evade detection."
The latest takedown came after an in-depth investigation of Triple Fiber Network by the Federal Trade Commission, which brought in experts from NASA's Office of Inspector General, the National Center for Missing and Exploited Children, and researchers at the University of Alabama, the Shadowserver Foundation, the Spamhaus Project, and Symantec, the owner of SecurityFocus.
"It is groundbreaking that the FTC would present and package such a good case for the takedown," said André DiMino, co-founder and director of the Shadowserver Foundation. "They did their homework."
The FTC approached DiMino in April to help document the amount of malicious activity originating from IP addresses belonging to Triple Fiber Network. DiMino found that the company — which also uses the names 3FN, APS Telecom, APX Telecom, and APS Communications — hosted the command-and-control servers for more than 4,576 unique malicious software programs. In addition, more than 311 unique IP addresses owned by 3FN were involved in malicious activity, according to Shadowserver's database.
The ISP hosted the command-and-control servers for the Cutwail botnet, among others, according the security firm Symantec. The security company found more than 600 IP addresses controlled by 3FN that were also launching attacks.
"The attacks we saw ran the gauntlet," said Vincent Weafer, vice president of Symantec's Security Response group. "A lot of attack activity, a lot of denial-of-service attacks, and botnet activity."
A NASA special agent, Sean Zadig, initially traced the malicious activity to 3FN during an investigation into attacks on the U.S. space administration's networks. The trail initially led to servers owned by McColo, the rogue Internet service provider taken down in November 2008. Zadig received a search warrant for the contents of McColo's servers and found connections between McColo and 3FN, including ICQ message logs f conversations in Russian between customers and the owners of two 3FN accounts, labeled "Head of Programming Department" and "Senior Project Manager".
In one exchange, documented in the court filing, a customer asks 3FN's Senior Project Manager whether they can host a botnet of 20,000 compromised computers aimed at committing click fraud.
"Well, we can manage it," 3FN's Senior Project Manager stated. "To earn 500 USD per day you need to have 20 000 clicks approx."
SecurityFocus requested an interview with Pricewert through e-mail, but the company did not reply. A call to a number listed in several press releases was answered by a man with an Eastern European accent, who stated that the company would not provide comment.
Both Symantec's Weafer and Shadowserver's DiMino predicted far less of an impact from the takedown than what had been witnessed when McColo was disconnected form the Internet. The scammers and online criminals that use rogue ISPs likely learned not to rely on any single hosting provider, DiMino said.
"These guys operate under a rock, and when you turn over the rock, they are not just going to go away," he said. "Unfortunately, they're not going away — they are going to scatter."
If you have tips or insights on this topic, please contact SecurityFocus. (news-editor@securityfocus.com)
FTC persuades court to shutter rogue ISP (http://www.securityfocus.com/news/11552/1)