The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale.

Family Business Robbed On-Line
Patco Construction a family owned company was impacted by a cyber crime that may have involved the RBN. The construction firm is suing after a $588,000 online theft. If crimes like this initiate first via social networking sites such as Facebook or twitter, extensions of the family business could also be impacted.  How? Some individuals are not careful with their choice of passwords:

  • Don’t use family names in passwords
  • Don’t use your facebook or twitter password for your online finances

Flow Analytics can help against the RBN
We see attacks coming in frequently and the Known Internet Threats algorithm from Flow Analytics is constantly watching for RBN attacks by analyzing Cisco NetFlow from selected devices. See the alarm below which appears to be a brute force attack:

rbnThreats

Search for the RBN Host
I then searched on the host 221.192.8.90 to see if anyone from our network communicated back to this host:

RBN Search

Above the host was only found as the source (i.e. sending traffic in) and no host had responded: Thank goodness!

More on RBN
The RBN seems to source from the Autonomous Systems in this diagram provided by Wikipedia.com.

Rbn_wikipedia

Internet Threats Algorithm
The Known Internet Threats algorithm allows all of our customers to download a list of known compromised hosts several times per day from plixer. Flows from selected routers are then compared to the list to ensure no traffic is seen to or from these compromised machines.

In the next blog I’ll outline how you can block a host using an ACL on our router.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply