[funsec] McColo: Major Source of Online Scams andSpams KnockedOffline (fwd)

Nick Newman NNewman at nw3c.org
Wed Nov 12 21:52:12 UTC 2008

There's a common misconception of what LE does online (and when I say LE, I'm talking mostly state/local agencies): if you watch CSI or any other show that has anything to do with computer crimes, there is always a team of uber-geeks at every single agency (no matter how big it is) who spend 50% of their time online looking for phishing sites, CP sites, fraud sites and on and on.  The real world isn't like that at all.  For example, one state police agency we're familiar with has a team of *two guys* that do almost all of the computer forensics work for the *entire state*.  Considering the caseload they have (if I remember correctly, a computer has a turn-around time of 6 months, a cell phone about a week; this is because every avenue a defense attorney is going to take has to be covered), there quite simply is not time to do anything proactive online (such as analyze spam to find out most of it is coming from a couple particularly nasty web hosting companies on the other side of the country).  In most small agencies, the "computer forensics guy" is just the guy that knows more about computers than anyone else (read as, he figured out which port on the back of the computer was the USB port to hook up a new printer).  A handful of agencies nationwide are fortunate enough to have a CSI-esque computer forensics unit, but most do not.

Let's compare these two scenarios:

1. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company in California.  They've determined that the majority of spam world-wide originates from this company offering bullet-proof hosting.  So they call the upstream providers and get them cut off.  NastySitesUnlimited tries to switch providers, but are disconnected again.  And again.  And again.  A few days later, company files for bankruptcy because no one will give them an uplink to the 'net.  Problem solved.  End of story.

2. Some LE agency serves a search warrant for "any digital evidence" and collects hundreds of terabytes of worth of data.  5 years later, after everything is processed (and during this time, things at Nasty Hosting Company have continued as normal, thanks to regular backups), charges are finally brought against some entity in the business, he gets thrown in jail for a few years and fined heavily, business gets renamed (VP takes over) and it's almost like nothing ever happened.

Which happened faster and was more effective?

On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website  (www.ic3.gov) because we have an excellent team of analysts that track information like that.  Package up the evidence you have and send it out.  

If we lived in a perfect world, there would be a third scenario:

3. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company in California.  So they gather an abundance of super-damning evidence and submit it to LE.  LE starts an investigation with the outstanding leads provided in the package, and starts making arrests.  The CEO and a few others at NastySitesUnlimited get sentenced and thrown in jail.  Business at NastySitesUnlimited continues as usual until they are cut off from the Internet a few days later because no one will give them upstream service.  It took a little bit longer, but the culprits are in jail and the business has been lynched.

Kee had an excellent question when he asked if anyone tried notifying LE, and the answer to that is probably not.  It's hard to tell what would've happened if LE was involved (who knows, maybe SS or FBI were working on it). LE does care, it's just a matter of resources available.  If you get the evidence together and in a matter that explains itself, it will get handled effectively (though probably not as fast as "Intercaging" a company).

-- Nick

Nicholas R. Newman
Computer Crimes Specialist
National White Collar Crime Center
1000 Technology Drive, Suite 2130
Fairmont, WV 26554
1-877-628-7674 x2244
nnewman at nw3c.org

-----Original Message-----
From: Jeff Shultz [mailto:jeffshultz at wvi.com] 
Sent: Wednesday, November 12, 2008 3:56 PM
To: NANOG list
Subject: Re: [funsec] McColo: Major Source of Online Scams andSpams KnockedOffline (fwd)

Jason Ross wrote:
> On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman at nw3c.org> wrote:
>> How many cops does it take to throw a community lynching?
> None.
> The question that remains is: Why is the community having to resort to lynching?
> Following the metaphor and using the US "Old West" as an example,
> lynchings were largely due to one of the following:
>    * a lack of organized law enforcement
>    * a lack of effective law enforcement

The problem is that to fix either of those problems you'd have to wade 
through a fever swamp of "facists online!" claims from all the 
pseudo-anarchists who start twitching at the thought of any agency 
imposing it's will on the internet.

Jeff Shultz

More information about the NANOG mailing list