There has been recent speculation concerning the Russian Business Network (RBN) and its increasing use of Chinese web space. By way of discussing this topic it is useful to quantitatively view this aspect via a practical example. We can kill 2 birds with one stone and do this via a requested update on “iFrame Cash”.
The iFrame Cash is an active RBN enterprise we call here part of the RBN “Retail Division”. Simply the RBN pays webmasters or small web hosts a commission for planting or injecting IFrame exploits on web sites, this is done via the web site iframedollars.com and others.
Iframedollars has recently changed its IP location as it has done regularly since 2004, joining the dots (NB. Click on the images to see the detail):
1. iframedollars.com
= 58.65.234.17, ns1.iframedollars.com = 58.65.234.17, ns2.iframedollars.com = 58.65.234.18, MX iframedollars.com (mail server) = 58.65.234.17
58.65.234.0/24 = HOSTFRESH Internet Service Provider Pacific Internet (Hong Kong) Limited (Customer Route) REACH (Customer Route) = China?
2. myrdns.com / hostfresh.com
ns1.hostfresh.com = 58.65.238.100, ns2.hostfresh.com = 58.65.238.101
For, myrns.com sharing IP records = us1core.hostfresh.com, jishuqi.cn, shippingnv.com
3. For us1core.hostfresh.com
4. AS27595 = Intercage
So at this time:
(A) iFrame dollars facts ;
Host = Hostfresh, ICANN registrar = Estdomains, IP address changes = 14 (2 years), Who is records = 44 (since 2004). Alexa rank = #605,524 up 62,752 in the last 3 months
(B) Hostfresh facts ;
Host = Myrdns, ICANN registrar – IP address changes = 5 (2 years), Who is records = 233 (since 2004). Alexa rank = # 361,013 up 387,6323 in the last 3 months
(C) Intercage facts:
As reported earlier Intercage = AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), Estdomains, (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for at least 34 of the 40 RBN fakes.
58.65.239.66 was also one of the 2 domains involved in the Bank of India hack.
This is Intercage again, to restate, many forum and other Internet user complaints dating back to 2004, and blacklisted by Spamhaus. However such blacklists are predominately used to block access “from” e.g. spam, we need a CYBERINT system to prevent access to. Currently only systems such as McAfee’s Site Advisor provide a web users guide and this is not perfect.
Also hopefully this example demonstrates that when watching the RBN because an IP address shows a Hong Kong / Chinese / Russian registrant or has Chinese or Russian writing does not mean it is actually based and hosted there.
Simple observation, just assume anything associated with the RBN is based on misdirection in the first place.
