Re: [gnso-ff-pdp-may08] Rock Phish Invests in Technology Upgrade

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

And an entire address space filled with bad things teeters on one, last, 
remaining upstream.
Again, no domain names were harmed, and no registrars were called at 3am.

Date: Mon, 8 Sep 2008 04:17:29 GMT
From: Paul Ferguson <fergdawg@xxxxxxxxxxx>
To: funsec@xxxxxxxxxxxx
Subject: [funsec] Security Fix: Updates on Atrivo/Intercage

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Krebs add some late updates to his "Security Fix" article
from Friday 5 September 2008:

[snip]

Update, Sunday, Sept. 7, 8:02 p.m.: I spoke today with Randy Epstein,
president of WVFiber and co-founder of Host.net, which acquired WVFiber
just six weeks ago. Epstein said after reading reports from Security Fix,
Hostexploit.com, Spamhaus.org and others about cyber crime activities at
Atrivo, WVFiber has decided to drop Atrivo as a customer. WVFiber plans to
stop providing upstream connectivity to Atrivo by Wednesday or Thursday at
the latest, Epstein said. That would leave Atrivo with just a single
upstream provider -- Bandcon.

Update, Sunday, Sept. 7, 9:15 p.m.: nLayer Communications, a company that
owns a significant slice of the Internet addresses used by
Atrivo/Intercage, is demanding that Atrivo vacate the space and return the
addresses by Sept 30.

"Atrivo/Intercage has not been a direct customer of nLayer Communications
since December 2007, but they still have some legacy reallocations from our
IP space," wrote nLayer co-founder Richard A. Steenbergen, in an e-mail to
Security Fix. "Since they are no longer a customer, we require that they
return our non-portable IP space, and have given them a deadline of
September 30th to do so. If the IP space is not returned by that point, we
will follow standard procedure to reclaim it, including null routing the
space, and sending cease and desist letters to any network who still
transits it without our permission."

According to Steenbergen, Atrivo/Intercage must return roughly 7,400 IP
addresses.

[snip]

Ref:
http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grow
s_more_i.html

FYI,

- - ferg

Diaz, Paul wrote:
> FYI - more FF-enabled phishing attacks expected
>
> Phishing Drops as Rock Phish Invests in Technology Updgrade (SC
> Magazine, 090508)
> By Dan Kaplan
> http://www.scmagazineus.com/Phishing-drops-as-Rock-Phish-invests-in-tech
> nology-updgrade/article/116332/
>
> A plummet in the number of phishing emails between spring and summer
> appears related to a major crime group's decision to upgrade its botnet
> infrastructure, new research from RSA revealed on Friday.
>
> The notorious Rock Phish group, believed responsible for at least half
> of all phishes, has spent the last several months transitioning from a
> legacy botnet to the Asprox botnet, Sean Brady, product marketing
> manager at RSA, told SCMagazineUS.com.
>
> The move will help the criminal syndicate distribute phishing emails
> faster and more frequently, while being more difficult to detect, he
> said.
>
> "Like any business that upgrades its IT infrastructure, we would believe
> the Rock Phish group would think they're better prepared for the
> future," Brady said.  "We would not be surprised if we saw phishing
> levels return to where they were in the spring or early summer."
>
> According to phishing clearinghouse PhishTank, the number of valid
> phishes in July was 8,090, a considerable drop-off from 11,706 in May
> and 16,527 in April.
>
> The Asprox botnet, traditionally leveraged to scan for websites
> vulnerable to SQL injection and infect users' machines with trojans, is
> now potentially being used by Rock Phish to distribute its attacks,
> Brady said.
>
> "Leveraging the Asprox botnet and hosting your attacks from that botnet
> means that's it's essentially self-fueling," he said.  "You can create a
> larger botnet in a shorter period of time and therefore launch wider
> attacks."
>
> Asprox also comes outfitted with more advanced fast-flux networks, used
> to hide phishing sites and IP addresses behind a constantly changing
> series of botnet nodes that act as proxies, Brady said.
>
> "They all run cover for the real system that is hosting the phishing
> attack," he said.
>
> Dave Jevans, chairman of the Anti-Phishing Working Group, a phishing
> resource organization, said he has noticed a steep decline in phishing
> emails, but now Rock Phish appears back.
>
> A number of European banks and at least one major U.S. bank are being
> actively targeted in phishing campaigns, he said.
>
> But it is doubtful Rock Phish, believed to be based in St. Petersburg,
> Russia, took a major financial hit during the downtime, Jevans said.
>
> "You don't need to be constantly harvesting credentials," he said.
> "There are more stolen passwords out there than have ever been used."
>
> Brady said the time off shows Rock Phish is being run like a legitimate
> corporation.
>
> "They have profit concerns, margin concerns and now obviously IT
> infrastructure concerns," he said.
>
>
>
>