Infamous porn and phishing ISP rolls Bank of India

Infamous porn and phishing ISP rolls Bank of India

Summary: Security firm SunBelt, which discovered Bank of India's Web site had been hacked and was serving dangerous malware, says an infamous ISP linked to child pornography and phishing is behind the attacks.

SHARE:
TOPICS: Banking, Security, India
0

Security firm SunBelt, which discovered the Bank of India's hacked Web site was serving dangerous malware, says the infamous Russian Business Network (RBN) -- an ISP linked to child pornography and phishing -- is behind the attack.

The service provider in question has developed a notorious reputation, with Verisign classifying it as "the baddest of the bad" in the ISP world in June 2006.

According to Verisign threat intelligence analyst Kimberly Zenz, RBN is different to other service providers because "unlike many ISPs that host predominately legitimate items, RBN is entirely illegal."

"A scan of RBN and affiliated ISPs' Net space conducted by VeriSign iDefense analysts failed to locate any legitimate activity. Instead, [our] research identified phishing, malicious code, botnet command-and-control (C&C), denial of service (DoS) attacks and child pornography on every single server owned and operated by RBN," Zenz wrote in a recent report.

Zenz added that the RBN almost exclusively attacks non-Russian financial institutions and its leaders' family ties with a "a powerful St Petersburg politician" effectively offer it immunity from prosecution.

In an interview with ZDNet Australia, Patrik Runald, senior security specialist at F-Secure, said: "No one knows who the RBN is. They are a secret group based out of St Petersburg that appears to have political connections. The company doesn't legitimately exist. It's not registered and provides hosting for everything that's bad."

"Their network infrastructure is behind a lot of the bad stuff we're seeing and it has connections to the MPack group [a well-known group of cybercriminals which used Mpack software to steal confidential data]," said Runald.

Runald said that in the case of the Bank of India's hacked Web site, RBN used an IFrame to launch another window which then pushed victims to a Web page containing malicious code.

"That page contained links to three other pages on other servers," said Runald. "At the time we started looking into it two out of three URLs had been taken down. The one remaining was trying to use an exploit from 2006 to affect systems with a Trojan downloader. Once infected, that downloader would go out and download another piece of malware, including other downloaders," said Runald.

The Trojans used in this case were designed to steal passwords from PCs and upload Trojan proxies in aide of developing a botnet.

Topics: Banking, Security, India

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion