I must agree with Steve and emist. While it could be possible that they have access to a network which is allowing them to spoof, or fake, any ip they wish. I think its more probable that these are compromised hosts, and the credit card data was taken from those computers. Can you provide packet captures of there traffic? If you could track down a human at the end of one of these hosts it would be trivial to find out if they are compromised.
I like Steves idea about requiring human intervention during account signup. Is it required of this server to communicate with Vietnam at all? If not, I would surely block them. If account creation succeeds but they cannot place calls they should get bored and move on to the next target.
If it were me, I would setup a seperate server and route all suspect traffic to the new server. I would allow them an account or two (not actually charging any cc of course), and then record every move they make. Then I should know who I am dealing with. If it is a small group or just a single individual I would take action to have them removed from there ISP, etc. If it were a group large or small, operating from certain jurisdictions which do not care/do anything about this type of activity (I'm looking at *you* .ro), this tactic would have no effect. Theres little left to do but defend yourself to the best of your abilities, else strike back.
I like Steves idea about requiring human intervention during account signup. Is it required of this server to communicate with Vietnam at all? If not, I would surely block them. If account creation succeeds but they cannot place calls they should get bored and move on to the next target.
If it were me, I would setup a seperate server and route all suspect traffic to the new server. I would allow them an account or two (not actually charging any cc of course), and then record every move they make. Then I should know who I am dealing with. If it is a small group or just a single individual I would take action to have them removed from there ISP, etc. If it were a group large or small, operating from certain jurisdictions which do not care/do anything about this type of activity (I'm looking at *you* .ro), this tactic would have no effect. Theres little left to do but defend yourself to the best of your abilities, else strike back.
P.S. The rbn is alive and well, they have distributed there network across several countries now. Watching them is fun, until they see you watching;)
On Mon, Aug 18, 2008 at 8:18 PM, emist <emistz@gmail.com> wrote:
On Mon, Aug 18, 2008 at 8:18 PM, emist <emistz@gmail.com> wrote:
I agree with Steve theres definitely the possibility of them using
compromised systems, in which case it will be almost impossible to know
in advance.
If I recall correctly there used to be decent money to be made in this
kind of business as well as in the renting of botnets to perform DDOS a
while back. Storm comes to mind, although I'm not sure what has become
of the rbn since then.
Posts
No comments:
Post a Comment