Legitimate ISP a Cover-up For a Cybercrime Network 68
ezabi writes "TrendWatch, the malware research arm of TrendMicro, has posted a white paper titled 'A Cybercrime Hub' (PDF, summary here) describing the activities of an Estonian ISP acting as a cover-up for a large cybercrime network. It's involved with malware distribution and DNS hijacking, which leads to credit card fraud. The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies? Note that they are represented legitimately and are offering real services like any other internet company."
Re:Adware (Score:5, Interesting)
Did you even read the whitepaper?
The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States
For instance, a Web developer who
joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as video codecs and file compression software.
The whitepaper is totally different than you tried to portray, even in the first page. Your post is obviously an attempt at a coverup, presuming most people won't read the PDF.
Re: (Score:2)
Re: (Score:1)
So it is allowed by Estonian laws to install trojans on the computers of unsuspecting victims, to redirect accesses to legitimate sites through DNS redirection to unrelated sites, to claim bogus virus infection on fake versions of legitimate sites and offer expensive fake "antivirus" software as "cure"?
Re: (Score:2)
Re: (Score:2)
AC was probably illegitimate so he probably can't recognize a legitimate business. It also sounds like AC might have been an investor or an officer in the company. LMAOA
Re: (Score:1)
Certainly most of the employees wouldn't know that their actual work is used to serve illegitimate activities, otherwise they wouldn't include it in their CV's, how would a web developer know that the site he's working on is promoting a fake product, if you look for more details of the activity elsewhere you would find that these peoples' ultimate goal was to drive users to a form where they would gladly submit their personal and credit card details, TrendWatch wouldn't clearly explain such activities in it
Re:Adware (Score:4, Interesting)
Yes adware is bad too, but its legal and calling adware companies cybercriminals is going to bring some lawsuits.
Others have adressed the actual legality, but I want to adress this anyway. I don't think we should refrain from calling bad guys "bad." Whether or not some asshole skates around laws faster than Estonia can make them (or outright bribes/lobbies lawmakers to keep what he's doing legal), or whether or not a particular asshole gets litigious for calling him an asshole, they're still an asshole. In fact, they're even bigger assholes if they bend laws and sue over it.
Re:Adware (Score:5, Insightful)
It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering.
_____________________________________
If you happen to be Tsastsin's wife, I can understand that you'd like to stick up for his "good name". Maybe you feel that you need to do so, for the kids.
But, the bastard is a criminal bastard. Your astroturfing won't change the fact.
Re: (Score:2)
Hey, look, AC just started his philosophy class!
Your argument would be better applied to a more complex case of right vs wrong, such as more legitimate online advertisers. But we're not talking about that, these people are scum. Furthermore, this is /. where the general consensus is that adware and the people who make it are scum. Adressing the morality of adware would be preaching to the choir and would be beside the point. Lastly, I did NOT claim it was fact. Was it not obvious enough this is my opin
Re:Adware (Score:4, Informative)
Re: (Score:2)
I find the use of a good filtered DNS service that blacklists malware URL's upon discovery goes a long way towards limiting my exposure to this.
Open DNS or Scrub IT works well. The only down side is they are often the target of DOS attacks, so their uptimes are limited. Be prepared to switch DNS settings when the "Internet" goes down. Most of my frequent sites, I keep in my local hosts file, so even if DNS goes down or DNS is hijacked, the link to my banking is still valid.
Ruining as a normal user I can'
Re: (Score:1)
Re: (Score:1, Funny)
Re: (Score:2)
It's involved with malware distribution and DNS hijacking, which leads to credit card fraud.
I did find it funny that they say this; just because it's *possible* doesn't mean they'd do such. Surprisingly Comcast and other ISP's have been starting to do dns hijacking, so does it mean they are doing credit card fraud?
Comcast and other ISPs have been doing NX-record hijacking, not straight-up DNS hijacking. While NX-record hijacking is a bad practice because of problems it causes with other networking practices, it is not malicious. NX-record hijacking is where an address cannot be found, so they reply with a search site to help the user. DNS hijacking normally refers to hijacking requests for valid domains and pointing them to their own servers. This can lead to phishing sites that appear to be a valid domain.
This is new? (Score:3, Insightful)
Look up the mafia and trash collection.
Re:This is new? (Score:5, Funny)
Re: (Score:3, Funny)
DNSSEC and ubiquitous SSL. (Score:5, Informative)
DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed. Then there's not really much the can do, besides just dropping all your connections.
Re: (Score:2)
Re: (Score:3)
However, while OpenDNS is unaccountably popular with many, it does a lot of DNS meddling of its own, including breaking NXdomain(it also uses false
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Since they redirect your DNS queries through a trojan, I don't see how they couldn't.
Re: (Score:2)
I know about the first and how it works, but I never saw the 2nd.
Re:DNSSEC and ubiquitous SSL. (Score:4, Interesting)
DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.
DNSSEC isn't hardly deployed either. Not even in the .GOV TLD domains, which has a mandate that all domains be signed by the end of this year.
Query Comcast's test DNSSEC resolver:
dig +adflag +dnssec gov @68.87.69.154
You get back NSEC3 keys and RRSIGs, and the "ad" flag will be set (meaning it is authenticated data). Try it again with just about any domain:
dig +adflag +dnssec whitehouse.gov @68.87.69.154
dig +adflag +dnssec fbi.gov @68.87.69.154
dig +adflag +dnssec cia.gov @68.87.69.154
dig +adflag +dnssec nsa.gov @68.87.69.154
Nah, none of them have deployed DNSSEC. Less than 3 months to go and they'll all slip past the mandate.
DNSSEC is a good step in the right direction, but it's not a magic bullet. Perhaps if there were some client apps that act as DNS resolvers and verify all DNSSEC keys and sigs (the same as resolvers do), but that's going to slow down the user experience with many queries before even requesting content. Further, how are end-user apps like this going to be kept up to date with new signatures that have to roll (yearly, I believe)? No magic bullet, that is for sure.
Re: (Score:3, Interesting)
Also, while I'm here, it's a lot harder to MitM the link between a user and their ISP in most cases. Both addresses are inside the ISP's range, so it should and probably does have border rules that prevent such packets traversing the border. That means to attack user X at ISP A, you need to be able to mess with packets inside ISP A. Whereas today, by doing MitM on some poor .com site's DNS servers, you get every user visiting the site. So "does nothing to protect" isn't really true.
If you're going to say "W
Re: (Score:3, Informative)
DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.
No, you can demand that the ISP's resolver forward all the records you need in order to verify the signatures yourself. The first thing google comes back with is this, from 2007 [circleid.com]:
Re: (Score:2)
Ah, very nice. Then the only problem is getting/keeping the signatures on the stubs updated. You have a bootstrapping problem that is a chicken-in-the-egg problem if you want to auto-update a host that has been offline for some time, or after a fresh install that contains old signatures.
Crypto is the wrong answer (Score:2)
DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed.
Actually, once the bad guys have installed malware on your PC, it's pretty much game over. DNSSEC won't help you, and SSL won't help you: they are designed to thwart man-in-the-middle attacks, not man-in-the-endpoint attacks. If your PC is compromised, the DLL that performs DNSSEC or SSL verification can also be compromised. We don't really have a security model to deal with man-in-the-endpoint attacks, other than things like two-factor (or n-factor) authentication which work because one of the two (or n) c
Re: (Score:2)
Actually, once the bad guys have installed malware on your PC, it's pretty much game over. DNSSEC won't help you, and SSL won't help you: they are designed to thwart man-in-the-middle attacks, not man-in-the-endpoint attacks. If your PC is compromised, the DLL that performs DNSSEC or SSL verification can also be compromised.
Sure, but a cursory reading of the summary/headline seemed to imply that they were using their position as ISP to cause trouble, rather than just being generic malware vendors.
Don't click the Blue e! (Score:1, Insightful)
Re: (Score:2)
Use common sense!
You must have never heard of "Peak common sense". The idea that there is a finite amount of common sense that can be used in any given year. And, the the amount will peak and then will decline steady to zero. Note: Second cause is common sense per individual is declining because of population growth. Tim S. PS: You think my theory is a joke? Good, then make it funny.
Comcast? (Score:2)
Anywho, this is kind of scary, but not in an internet-scary kind of way, but instead in a crime can be all around you kind of way. Imagine if a restaurant was a front for a crime hub, i.e. skimming credit card and checking info, they would have access to people's financials, but in a much more limited sense. Although it would be interestin
Re: (Score:2)
Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...
Careful there! You are giving Comcast WAY too much credit. I would chalk that up to incompetence rather than malice. The latter is way harder, and the clowns at Comcast don't have the chops to do it well.
Sheldon
Re: (Score:1)
Here i was thinking that this article would be about comcast, but then i remembered that comcast is just the regular kind of fraud. Over-promising and under-delivering...
That's not fraud, that's sales. Otherwise every salesperson in the world would be guilty of fraud. Always assume that if someone is selling you something they are exaggerating the capabilities of their product/service.
Re: (Score:2)
not necessarily true. i have had many cases where i have purchased something from someone who has been completely open with describing any limitations etc of a product. i actually find i repeat buy off that type of salesperson far more than i would someone who has talked something up and failed to deliver. usually if you show that you know what you are talking about and you will see through any attempts at deception, and that you are not an arrogant prick then they will open up and be much more down to eart
Solution (Score:4, Interesting)
Man in the middle attacks have a classic solution: Encryption and non-repudiation in the authentication protocols. Encrypt everything between the client and server (as IPv6 allows for) and the amount of damage a rogue ISP can do (or any peer point) is greatly reduced.
She's more right than you think (Score:2)
Authentication protocols like PKI that use encryption would make many sources of malware unambiguous. The pretty much leaves email and discs as the only malware carriers that are hard to track.
Network neutrality (Score:5, Interesting)
From a US perspective: without network neutrality, this is all legal.
Page 8 of the PDF shows CNN.COM with an advertisement replaced. What stops them from replacing the content of the articles? Page 10 shows how they hacked Google results. What keeps them from changing those results to filter articles on politics, religion, gender issues, laws...
Legitimate? (Score:2)
Re: (Score:1, Funny)
Funny I never could tell the two apart.
From estonian perspective... (Score:2, Interesting)
Obliga... (Score:2)
I for one welcome our new Cybercriminal Tartu Overlords ...
(Especially since they have to within a 3 mile radius from me, being in Tartu as well)
Re: (Score:2)
and link to the super evil company as well
http://www.rovedigital.com/ [rovedigital.com]
their homepage vs the homepage displayed in pdf files ... not really hidden well enough
Re: (Score:2)
within a 3 mile radius
I see, Estonians switched from metric system to Imperial, to please their OTHER overlords.
Measures (Score:2)
What security measures should be taken to prevent normal users from falling victim to such malicious bodies?
I think a massive DOS attack will teach these Estonian bastards! Oh wait..
Comcast (Score:1, Funny)
I totally came in here expecting this to be about Comcast. I feel like I'm being robbed every month when I pay my bill.
Suggestion? (Score:1)
Re: (Score:1)
Re: (Score:2)
But Estonia is the second best US sycophant in Europe!
Is this the RBN successor? (Score:1)
For those interrested check out some info about the RBN (Russian Business Network) which was organized around an ISP in St. Petersburg, this was a really big operation.
This report lacks some detailled information about the ISP, eg which AS are involved, etc, so one can just react and put them into a DROP List or do an AS-Path finltering. If its an ISP with known AS, you (your ISP) can react.
Figure 6 (Score:1)