EstDomains: A Sordid History and a Storied CEO

In this second part to an ongoing investigation into the notorious Web site host and domain name registrar EstDomains Inc., Security Fix examines the company's history, the legacy of its current chief executive, and its future prospects.

The "Est" in EstDomains is a nod to the company's origins: It was founded in Tartu, the second largest city in Estonia (although the corporation is officially registered in Delaware). The chief executive of EstDomains is 27-year-old Vladimir Tsastsin, pictured below.

Tsastsin also is named as the head of Rove Digital, a company that appears to encompass a domain auction service named Bakler.com, and a recently launched Web traffic-shaping service called Zmot.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

A Superlative Scam and Spam Site Registrar

Over the past week, a number of the Internet's largest data carriers have ceased providing online connectivity to Atrivo (a.k.a. "Intercage"), an ISP that security experts say is home to a huge number of scammers and spammers. This week, I'm turning the spotlight on EstDomains Inc., Atrivo's most important customer and the single biggest reason so many experts have condemned Atrivo.

According to RegistrarStats.com, EstDomains is the 49th largest domain name registrar, with more than 270,000 domains. Security Fix is still working on cataloging all of those domains, but for the purposes of this analysis we'll examine some 10,000 Web site names that are both registered through EstDomains and using the company's various domain name servers to route traffic to them.

I chose to focus on that particular subset of 10,000 domains mainly so that EstDomains could not simply disavow knowledge of the sites' activities by claiming it serves as nothing more than a registrar for those domains.

Turns out, at least one-third of those domains (.CSV) are currently blacklisted by SURBL.org, which tracks Web site names that are advertised in junk e-mail.

Have a look at the complete list of those 10,000 names -- which I've made available at this link here (.CSV file) -- and it should quickly become evident why so many are blacklisted.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

FBI Warns of Hit Man Scam Resurgence

The FBI is warning people not to be disturbed by an e-mail scam that threatens your life and orders you to pay up to avoid being the target of a hired hit man.

The FBI said its Internet Crime Complaint Center continues to receive thousands of reports concerning the hit man e-mail scheme. The FBI notes that while the content of the missive has evolved since similar hit man scams first surfaced in late 2006, the message remains the same, claiming the sender has been hired to kill the recipient.

In some cases, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims' personal information are used in an attempt to make the fraud appear more authentic, the FBI said.


Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Scammer-Heavy U.S. ISP Grows More Isolated

Last week, Security Fix published an analysis of Atrivo, a California based Internet service provider, also known as Intercage, that has proven to be a virtual magnet for cyber-criminal operations. Since that time, Atrivo's biggest network backbone provider decided it could no longer support the company, and stopped offering it direct connectivity.

I first got wind of this change while reading a post on the NANOG mailing list, which caters to professionals employed by ISPs and various network providers. Marcus Sachs, director of the SANS Internet Storm Center, had said it looked like Global Crossing had stopped handling long-haul Internet traffic for Atrivo/Intercage within hours after our story was published. I followed up with Marc, but he was unable to produce any conclusive data showing the change.

Fast forward to today, and with the help of Jose Nazario at Arbor Networks, I was able to pull together a view of what happened. Global Crossing has in fact "de-peered" from Atrivo/Intercage, so it is no longer providing direct Internet connectivity.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Number of Bot-Infected PCs Skyrockets

The number of PCs compromised with software that lets cyber criminals control the machines from afar has more than quadrupled over the last quarter, security experts warn

The estimates come from Shadowserver, a group of volunteers that monitor activity from robot networks or "botnets," large armies of hacked personal computers used for spam, phishing and all kinds of criminal activity. Shadowserver saw a rise from roughly 100,000 botted PCs to about 400,000 over the past three months.

John Bambenek, an incident handler with the SANS Internet Storm Center, which tracks hacking trends, speculates that the spike is probably related to the massive numbers of Web sites that have been hacked by SQL attacks, and seeded with browser exploits.

While those numbers might seem high, they suggest more of a recent upward trend in bot counts rather than an accurate picture of just how many compromised PCs are out there. In fact, numerous other security experts this year have spotted single botnets that include upwards of 350,000 compromised PCs. And by nearly all accounts, there are thousands of distinct botnets out there today under the thumb of criminal groups and individual hackers.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

FBI Warns of Hit Man Scam Resurgence

The FBI is warning people not to be disturbed by an e-mail scam that threatens your life and orders you to pay up to avoid being the target of a hired hit man.

The FBI said its Internet Crime Complaint Center continues to receive thousands of reports concerning the hit man e-mail scheme. The FBI notes that while the content of the missive has evolved since similar hit man scams first surfaced in late 2006, the message remains the same, claiming the sender has been hired to kill the recipient.

In some cases, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims' personal information are used in an attempt to make the fraud appear more authentic, the FBI said.

I've heard about these scams before, but never actually seen one of the e-mails until today. Below is a copy of one of the scams making the rounds now.

"Dear Friend,
Goodday to you.
Am very sorry for you my friend, is a pity that this is how your life is going to end as soon as you don't comply. As you can see there is no need of introducing myself to you because I don't have any business with you, my duty as I am mailing you now is just to KILL/ASSASINATE you and I have to do it as I have already been paid for that.
Someone you call a friend wants you Dead by all means, and the person have spent a lot of money on this, the person also came to us and told me that he want you dead and he provided us with your name, picture and other necessary information's we needed about you. So I sent my boys to track you down and they have carried out the necessary investigation needed for the operation on you, and they have done that but I told them not to kill you that I will like to contact you and see if your life is Important to you or not since their findings shows that you are innocent.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Report: Email Address Dictates Spam Volume

The first letter of your email address is one factor in your spam risk, a researcher says

By Kelly Jackson HigginsSenior Editor, Dark Reading

Everyone knows that some people get more spam than others, but new research shows that it may have something to do with the first letter of your email address.
Richard Clayton, a security researcher at the University of Cambridge in the U.K., says he found evidence that the more common the first letter in your email address is, the more spam you get: in other words, alice@company.com typically gets a higher volume of spam than quincy@company.com, or zach@company.com. He says that’s simply because there are more combinations of names that begin with “A” than with “Q” or “Z.”

Over an eight-week period, Clayton studied around 8.9 million emails at a U.K. ISP and found that the email addresses that began with “A” received 35 percent spam in their inboxes, while “Z’s” got about 20 percent -- after sorting out real emails versus invalid ones that had likely been generated by a spamming tool. Clayton says it’s likely that spammers using dictionary attacks could be the cause of this disproportionate distribution of spam.

Read more ...
Dark Reading.

Report Slams U.S. Host as Major Source of Badware

Last week, I examined a series of Web services that make profiting from cyber crime a point-and-click exercise that even the most novice hackers can master. Today, I'd like to highlight the activities of Atrivo, a Concord, Calif., based network provider that hosts some of these services.

Several noted security researchers are releasing a report today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as "Intercage," has long been a major source of spyware, adware, viruses and fake anti-virus products.

The report is an exhaustive and well-researched analysis of Atrivo and its operations. Some of the statistics on active exploits cited in that report come from data sets I commissioned during my own investigation of Atrivo and later shared with Jart Armin, the principal author of the report and curator of the blog hostexploit.com.

Looking back several years, Atrivo's various networks were used heavily by the Russian Business Network, an ISP formerly based in St. Petersburg, Russia. RBN had gained notoriety for providing Web hosting services catering exclusively to cyber criminals. But after increased media attention, RBN dispersed its operations to other, less conspicuous corners of the Internet.

The portions of Atrivo most heavily used by RBN were Hostfresh -- which provides routing for Atrivo through Hong Kong and China -- and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year. As of last December, Atrivo boasted the largest concentration of malicious activity of any hosting company, according to a report released by security intelligence firm iDefense.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

Microsoft Patches 26 Security Holes

Microsoft today released updates to fix at least 26 security vulnerabilities in its Windows operating systems and other software. At least 17 of those flaws earned Microsoft's "critical" rating, meaning they could be exploited to break into vulnerable systems with little or no help from the victim.

The 26 vulnerabilities are the most Microsoft has addressed since it had 25 in August of 2006, which also included 17 rated as critical, according to anti-virus firm Symantec.

Microsoft patched two holes in that have already been used in targeted attacks against people browsing the Web with Internet Explorer 6 and 7. In addition to those two fixes, one bundle of critical updates plugs five other security holes in Internet Explorer, most of which Microsoft said are present all versions of the browser.

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.