By Gregg Keizer
February 19, 2008
The Russian Business Network, a notorious hacker and malware hosting
network, runs a protection racket that extorts as much as $2,000 a month
in fees for "protective Web services" from borderline sites, a
researcher alleged today.
The RBNExploit blog -- which is authored by one or more anonymous
researchers -- spelled out the racket run by the group, which is thought
to be headquartered in St. Petersburg, Russia, and has been pegged by
security professionals as a major source of malware and cybercriminal
"The business model RBN uses is quite simple and effective," said a post
published today on the blog. "Its affiliates and resellers comb various
niche market forums and discussion areas for Web masters using or
discussing protective web services, i.e. DDoS [Distributed Denial of
Service] prevention. Carry out a DDoS attack on the Web site and then
provide a third-party sales approach to the Web master to 'encourage' a
sign-up for their DDoS prevention services."
The price for "protection:" $2,000 per month.
The DDoS attacks are, like almost all such mass attacks, conducted by a
botnet, an army of previously-compromised computers that can be told to
hammer a site one day and spew huge quantities of spam the next.
Numerous researchers, for example, have linked the RBN to the Storm
botnet, an amorphous collection of PCs that have been infected with a
Trojan by the same name. Some security experts have put the blame for a
massive series of DDoS attacks against Estonian government sites last
year on the RBN.
RBNExploit noted that the domains that have recently shifted to RBN's
hosting services included sites involved in pornography, online
pharmaceutical sales and what it calls "HYIP," for High Yield Investment
Programs -- a term that's become synonymous with investment scams, often
in the form of traditional Ponzi schemes. "RBN is successful, as most of
these Web masters are not about to publically complain," noted the blog.
It also posted a link to an HYIP forum where discussions of RBN DDoS
extortions appeared several times. "Paid very fast. A very good return
from a ddos attack," wrote one users on the scam's message board in
early December 2007.
"Very good support work while ddos!" added another. "I am very happy
with your fast payments! THx!"
The blog traced the anti-DDoS hosting services to an IP address it had
previously fingered as a "core replacement server" for RBN in St.
Petersburg. It also listed several domains, including the HYIP "Golden
Pig" and several drug-selling sites, that have recently moved to the RBN
servers handling anti-attack hosting. Among the latter:
TheCanadianMeds.com and OfficialMedicines.com. Both those sites are now
hosted on RBN servers based in Turkey, said the blog, and they have
previously been blacklisted by SpamHaus.org, a well-known antispam
Phone numbers listed in the domain registration records for those sites
were either incomplete, and thus unusable, or rang through to a fax
Subscribe to InfoSec News