9:47 pm (UTC-7) | by Paul Ferguson (Senior Threat Researcher)
I hate to single out individual countries, organizations, ISPs, or any other entity but I have to tell you—my head almost explodes when I run into barriers in trying to contact the responsible organization where I see criminal activity.
Now sure, I see criminal activity in a lot of places, granted. It is almost endemic in Eastern Europe and in other hosting facilities where Eastern European criminals manage to dupe (or simply buy) services from under the guise of being legitimate consumers.
That’s why I am writing this now.
I am very disappointed in the results of my efforts earlier this evening to try to contact the responsible ISP and domain contacts listed in WHOIS about a recently discovered KOOBFACE/LDPinch credential drop site located within their facilities.
First, the address contact listed in the IP allocation WHOIS bounced as “address unknown.”
Then the contact address listed for the domain seems to have simply black holed.
And after asking personal contacts for assistance, even more emails were rejected.
This is not only frustrating, it is infuriating.
And it is fundamentally wrong and contributes to the ability of Eastern European criminals (in this particular case) to enjoy the protection that these failures provide.
This is not a new phenomenon—recall the control of Abdallah Internet by components of the Russian Business Network detailed in a report by the Shadowserver Foundation in 2008.
And there are still remnants of Russkrainian criminal operations in Turkish ISPs—this is a validated fact for which we have multitudes of evidence.
In any event, it would be nice if we could actually get the attention someone in Turkey to assist us in mitigating these threats.
As it stands today, Turkey seems to be a black hole where no one seems to be able to be contacted about criminal abuse issues and I’m sure the Eastern European criminals like it that way.
And that’s a shame.
Share this article