Matthew Richard, director of the Rapid Response Team at VeriSign iDefense, told SCMagazineUS.com today that the RBN disappeared from its Chinese base last Thursday, two days after disappearing from the web.
RBN first became unreachable last Thursday. However, the internet service provider has used such a maneuver before to claim a network was in Panama, said Richard.
“It is unlikely that RBN voluntarily disabled its network. We know that on [Wednesday evening] it had customers using the network. Since its customers rely on the network being available, RBN would stand to lose money and customers by voluntarily shutting down the network,” he said. “It is also possible that its upstream provider caught on to the new network and shut it down quickly. At this point nobody knows with any certainty what caused the network shutdown.”
The RBN was reported to have relocated to China or Taiwan last week, buying seven net blocks of Chinese IP addresses, according to published reports. Experts said at the time that the situation was changing hourly.
The former St. Petersburg-based ISP closed up shop last Wednesday after its last upstream bandwidth provider cut ties with the company following numerous media reports detailing its alleged shady dealings.
The company is known in cybercriminal circles as a bulletproof hosting provider, meaning it has a no-questions-asked policy when it comes to hosting its 4,000 IP addresses, which have been used in a bevy of malicious attacks, from spam to phishing to IFRAMEs.
A RBN representative could not be reached for comment.
Richard Cox, chief information officer of the anti-spam nonprofit Spamhaus, told SCMagazineUS.com today that the relocation to China was likely a ruse to disguise the RBN's next move.
“We don't think that they were ever in China. This was a deliberate smokescreen put up to [hide the group's tactics],” he said. “They are certainly difficult to predict, and it's almost too dangerous to make a prediction in public because they almost always do the exact opposite.”