14 DAY TRIAL // Independent Security Consultant Dancho Danchev reports that Russian cybercriminals are using a fake gas transit company in order to hide a provider hosting a wide array of illegal online activities. Based in Sankt Petersburg and called GazTranzitStroyInfo LLC, the provider has strong ties with two other well-known cybercrime hubs.
"It is somehow weird to what lengths would certain cybercriminals go to create a feeling of legitimacy of their enterprise," Mr. Danchev, according to whom redirectors to live exploits, zeus config files and scareware hosted on this Autonomous System (AS) are being distributed through black-hat SEO techniques and website compromises, notes.
"The recent peak of fake codecs (for instance [...] softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo [identified as AS29371] and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains," the researcher explains.
An example of this connection is the video-info .info fake codec campaign, hosted by GazTranzitStroyInfo (AS29371), which actually downloads the malicious file from kir-fileplanet .com, hosted at EUROHOST-NET (AS48841). But, according to Danchev, the cybercriminal infrastructure does not stop here. Instead, it converges over at yet another rogue hosting provider, NETELLIGENT Hosting Services Inc. (AS10929).
"For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to securityonlinedirect .com/scan.php?affid=02083 which is serving scareware with hosting courtesy of AS10929 Netelligent Hosting Services Inc," the researcher notes. "In cybercriminals I don't trust," he concludes, sarcasm directed at GazTranzitStroyInfo, whose fake slogan is "In gaz we trust!"
Such hosting providers make it a lot harder for security researchers and other industry professionals to shut down cybercriminal operations, because they hardly ever respond to complaints. Taking down the entire provider if the amount of malicious activity it houses is significant is even harder to do, if the company is not based in the US or in a western European country.
Just to exemplify with a rare successful case, UkrTeleGroup, a cybercrime hosting provider based in Ukraine, has been knocked offline after Miami-based FPL FiberNet took the decision to terminate the contract with one of its customers, which was providing uplink to it. FPL FiberNet only took this decision after receiving a complaint from its own service provider and risked being de-peered itself.