“Wait … *beep beep* back up for a second, Alex. I heard 3fn was brought down by the FTC!”
That would be correct! On June 4th the FTC served a takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert, APX Telecom, APS Communications) off the Internet. I was approached by law enforcement looking for evidence of malicious activities, and luckily, I was in the midst of writing up an article for my Bad Actors blog series. I decided to wait until a little time had passed before publishing details as not to tip off 3fn and possibly ruin an investigation. (Note that the investigatory group that approached me was at the federal level, but was not the FTC)
Below you’ll find my analysis of their IP blocks and a large amount of data about the Bad Actors whom they supported. Most of the links below are completely Not Safe For Work, possibly malicious, and frankly, many of them are disgusting in name as well as content. It’s not advised that you actually visit any of them. I also have more content that I didn't post, and if you're interested in it, feel free to drop me a line.
As I’ve been talking about in previous posts, there are many different aspects of a network infrastructure that a criminal needs to have in place to operate a successful organization. Let’s think about some of the pieces that need to be stable for a simple client-server SPAM botnet such as Cutwail, which was mainly hosted at 3fn.
First of all, you need to infect a user with the Cutwail malware. This malware could be delivered via a web exploit (such as one of the recent vulnerabilities in Adobe PDF, Office, FireFox, or DirectShow), via a social engineering attack (“You’re missing this video codec – press OK to install), or possibly through other vectors like E-mail or IM. I’ve only seen Pushdo/Cutwail distributed through Exploits and Social Engineering, so let’s focus on those. First, you need to control the sites that are hosting exploits or malware, and you need to be able to redirect or otherwise get users to visit. 3fn was doing plenty of both the redirection, and the actual hosting, as I’ll detail below.