Tuesday, September 16, 2008

EstDomains and Intercage VS Cybercrime

Surreal, especially when you get to read that EstDomains has "ruthlessly suspended over five thousand domains only for last week", and also, that it "has a reliable ally in its battle against malware in a face of Intercage, Inc".

Here's the press release :

"The EstDomains, Inc management does not deny the fact that no one is secured from having a customer who uses provided services for delinquent purposes. But it must be noted that the carefully planned infrastructure of EstDomains, Inc makes the special provision for the cases of malware distribution that may originate from the domain name registered under the company's name. Such domain names are suspended immediately along with domain holder's account if there is an evidence of malware presence on the web site. According to the most recent statistics over five thousand domain names were detected and ruthlessly suspended by EstDomains, Inc specialists only last week.

The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance.

The press release reminds me of RBN's defacement of my blog posted on the 1st of April, and despite that EstDomains started "performing for the community" as of recently, thanks to the collective intelligence and persistence of everyone turning their research into actionable intelligence against them, this performance aiming to minimize the effect of the negative PR is more or less futile considering all the cybercrime activities that they've been tolerating or ignoring for the past couple of years. For future generations to see, this is how EstDomains "performs for the community" :

"We've suspended all the domains listed in this topic. But please don't make posting these domains on this forum a habit. We have a 24/7 online tech support which can be contacted at https://support.estdomains.com

Best regards,
EstDomains Team 

EstMate says : Ihatemondayand.com and antispycheck.com - both suspended. If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains."

What's more disturbing regarding this particular domain registrar is that it's a U.S based operation, namely, using the lack of international cybercrime cooperation as an excuse for not taking actions earlier doesn't fit into the picture. Moreover, this is just the tip of the iceberg, and taking into consideration a personal mentality that the cybercriminals you know are better than the cybercriminals you don't know, the RBN or any of its "leftovers" aren't fully taking advantage of the tactics they could be using in order to make it harder to shut them down, but how come? Simply, they don't have to put extra efforts and would once again remain online for years to come, which is perhaps more disturbing at the first place.

What in the world is the Russian Business Network, is it still alive and kicking, are the same people that used to maintain my favorite netblock ever, still the ones running it, and what tactics are they taking advantage of in order to make it harder for the community to establish direct links with a particular netblock and the RBN itself?

With RBN's "leftovers" -- InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh -- making headlines just like the way it should be, what I've been researching for the past couple of months is how they've migrated from the centralized hosting provider to what appears to be a fully operational franchise. The business model is very simple, the RBN through its extensive underground networking skills supplies to customers to franchisers operating small anti-abuse netblocks across the globe, where they offer dedicated hosting and share revenue with the RBN. Anyone trusted enough and capable of supplying such netblocks starts running the RBN anti-abuse franchise. It's also worth pointing out that these franchises are in fact starting to cut the middle man, and disintermediate the RBN by actively advertising their services in order for them to create a self-sustainable business model without having to rely on the RBN connecting them with customers.

What used to be a centralized cybercrime powerhouse operating several highly visible anti-abuse netblocks, is today's decentralized infrastructure, with the profit margins for the anti-abuse services that it's logically capable to break-even and earn profits even with a few high profile dedicated hosting customers. Anyone can be the Russian Business Network, gain experience into the market segment, then disintermediate them by starting to advertise their own services. From a powerhouse to a franchise model, what the RBN had to offer can be easily duplicated by a countless number of local RBN's, and this is only starting to take place.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd.
The Malicious ISPs you Rarely See in Any Report
Geolocationg Malicious ISPs
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network