Russian Business Network – Detecting Cybercrime with NetFlow - NetFlow & sFlow Network Monitoring

Russian Business Network – Detecting Cybercrime with NetFlow

Posted in NetFlow on September 28th, 2009 by mike@plixer.com

The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale.

Family Business Robbed On-Line
Patco Construction a family owned company was impacted by a cyber crime that may have involved the RBN. The construction firm is suing after a $588,000 online theft. If crimes like this initiate first via social networking sites such as Facebook or twitter, extensions of the family business could also be impacted. How? Some individuals are not careful with their choice of passwords:

Don’t use family names in passwords
Don’t use your facebook or twitter password for your online finances

Flow Analytics can help against the RBN
We see attacks coming in frequently and the Known Internet Threats algorithm from Flow Analytics is constantly watching for RBN attacks by analyzing Cisco NetFlow from selected devices. See the alarm below which appears to be a brute force attack:

Search for the RBN Host
I then searched on the host 221.192.8.90 to see if anyone from our network communicated back to this host:

Above the host was only found as the source (i.e. sending traffic in) and no host had responded: Thank goodness!

More on RBN
The RBN seems to source from the Autonomous Systems in this diagram provided by Wikipedia.com.

Internet Threats Algorithm
The Known Internet Threats algorithm allows all of our customers to download a list of known compromised hosts several times per day from plixer. Flows from selected routers are then compared to the list to ensure no traffic is seen to or from these compromised machines.

In the next blog I’ll outline how you can block a host using an ACL on our router.

Michael Patterson
Scrutinizer Product Manager
Click to download Scrutinizer now!
Join NetFlow Developments on Linkedin.com

Tags: acl, Cisco NetFlow, cybercrime, Flow Analytics, identity theft, internet threats, NetFlow, RBN, Russian business network

This entry was posted on Monday, September 28th, 2009 at 9:43 am and is filed under NetFlow. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Russian Business Network – Detecting Cybercrime with NetFlow”

Network Behavior Analysis leads to a blocked RBN host - NetFlow & sFlow Network Monitoring - Systrax Says:

October 1st, 2009 at 2:58 pm
[...] In this blog I will briefly outline how we made an entry in the ACL (access control list) on our router to block the RBN host 221.192.8.90 from sending anything onto our network. I discussed the attack in my last blog on Russian Business Network – Detecting Cybercrime with NetFlow. [...]