Thursday, September 24, 2009

Protected By Emerging Again

In "'Money Mule' Recruitment Network Exposed" (,
Brian Krebs discusses fraudelent money mule recruiters the Scope Group Inc. and its associated web sites operate on the following IP addresses:

Those who have implemented the emerging-rbn.rules had protected the users of their networks from these ruthless criminals, who stole more than $117,000.00 from the small Sanford School District last month.

James McQuaid

Wednesday, September 23, 2009

Protected By Emerging

Those who have implemented the emerging-rbn.rules had protected their
networks from the September 11th and 12th attacks on the visitors to The New York Times web site.

The attacks utilized the following IP addresses:

Dancho Danchev and Gary Warner's blogs provide good explanations of
these attacks:

Visit Emerging Threats at

James McQuaid

Friday, September 11, 2009

RBN Attacking White House Anti-Drug Web Sites

In another example of the RBN revealing the true measure of their malice, White House Anti-Drug Sites have been attacked over the past week.

Malware Domain List reported on September 5th that, the website of Office of National Drug Control Policy had been compromised. In that instance, the site was directing visitors to a trojan: directs to trojan 2009/09/05. features White House Drug Policy initiatives, programs, and resources as well as, testimony and press releases. The site outlines National Drug Control Strategy goals and objectives.

Today, I found that, which is a data receptor for the notorious Clampi banking Trojan (Trojan.Clampi) had an A record pointing to This is the same IP address reserved for use by, the "Parents: The Anti-Drug" site created by Fleishman-Hillard (a leader in international marketing and communications).

AS2914 NTTC-GIN-AS NTT Communications Global IP Network
DNS Records
base record name ip reverse route as a
United States a
United States a
United States a
United States

Alexei Vasiliev, a familiar RBN criminal involved in the propagation of the Clampi banking Trojan, used his email address ( to register one of the known Clampi domains.