The biggest hosting company in US associated with cyber criminals is no longer online

Sep 23, 2008 10:34 GMT  ·  By

Following a collaborated effort from security researchers, anti-spam groups and online media to disclose the connection between cyber criminal groups and Intercage Inc., all its ISPs were pressured by bad publicity or their own clients to sever ties with the California based company. Their last remaining ISP, Pacific Internet Exchange, stopped routing traffic to the company and depeered them, thus leaving their servers inaccessible from anywhere on the Internet.

As we previously reported, Atrivo is a name that became famous for providing hosting and domain registration services directly or through its partners to the Russian Business Network (RBN), a cyber criminal group consisting of spammers, scammers, phishers, malware developers and other fraudsters associated with the Russian mafia. After a lot of media exposure, the RBN retreated to the Internet's underground and split into multiple smaller groups. Atrivo changed their name to Intercage in an attempt to clean their reputation, but as several well documented reports from security researchers stand to show, the change stopped there.

A few recent such reports in which the questionable, to put it mildly, practices of Intercage were disclosed prompted heated discussions expressing concern on well respected technical forums, mailing lists, blogs and news sites. This caused the several ISPs providing uplink to Intercage to reconsider doing business with the company that everyone was pointing at for housing criminal activities. As we also wrote in a previous article, Global Crossing was the first ISP to stop routing traffic for Intercage and it was shortly followed by the company's other two remaining providers, WVFiber and Bandcon. In addition, nLayer Communications demanded that Intercage vacate around 7,400 IP addresses that belonged to them.

The company's last minute save from remaining in the dark came from an ISP called Pacific Internet Exchange (PIE), but just as it is generally true for pies, this deal didn't last long either. David Grieshaber, PIE president, explained to Brian Krebs of Security Fix that he took the decision to “adopt”  Intercage, because he and Atrivo founder Emil Kacperski, whom he thinks was not fairly treated, are good friends and that the too companies actually share the same office building in San Francisco. Even so, he mentioned that he explicitly told  Kacperski to set up a company website – yes, Intercage had just a logo and a “website launching soon” message on its main page for several years – and a functional ticket-based abuse reporting system as a sign of good will.

This decision was not taken lightly by groups on the Internet. The Spamhaus project added over 1,000 PIE IPs to their block list because of Atrivo becoming their new client and customers of the ISP started complaining.. The subject was also discussed on the North American Network Operators Group (NANOG) mailing list. This basically forced PIE to go back on the arrangement and stop providing upstream for Intercage, thus leaving it completely shut off from the Internet. Infamous domain registrar Estdomains, a hub for spam and phishing webites, which used Intercage's hosting services, has also suffered downtime, however, they returned back online since then.

Kacperski defended himself and his company by claiming "the truth is that nobody's been reporting this stuff, but it's illegal for me to just sniff around each and every site on my network and say, 'Hey, what are you up to?.'" He also added that “if there's a complaint, then I can deal with it, I have to deal with it. Instead of complaints, I get people labeling me as some kind of mafia kingpin or crime boss".

Some people are skeptical regarding the definitive nature of this downtime, especially since Kacperski explicitly pointed out that he would find another provider for his company. The situation also raised debates over the censorship aspect of the proven self-police capabilities of Internet service providers and whether they should be taking such actions or not. Some experts claim it's a dangerous path that can lead to legit businesses being similarly targeted and suffering losses, while others argue that ISPs should be the first line of defense against such criminal activity. Overall, it is generally agreed that for now such collaborative efforts, that might otherwise resemble a “lynch mob”, are the only option that works.

The joy of many security groups when hearing that Atrivo went down is understandable given that, according to the Hostexploit report, an analysis on a random set of 2,500 IPs out of the almost 30,000 attributed to Intercage/Atrivo revealed no less than 7,340 malicious web links, 910 infected websites, 310 malicious binaries, and 113 botnet command and control servers. Spamhaus has also compiled a list of IP ranges associated with the company that were involved in all sorts of malicious activities.

Photo Gallery (2 Images)

Atrivo/Intercage is offline
Atrivo depeering
Open gallery