Network News

X My Profile
View More Activity

Scammer-Heavy U.S. ISP Grows More Isolated

Last week, Security Fix published an analysis of Atrivo, a California based Internet service provider, also known as Intercage, that has proven to be a virtual magnet for cyber-criminal operations. Since that time, Atrivo's biggest network backbone provider decided it could no longer support the company, and stopped offering it direct connectivity.


I first got wind of this change while reading a post on the NANOG mailing list, which caters to professionals employed by ISPs and various network providers. Marcus Sachs, director of the SANS Internet Storm Center, had said it looked like Global Crossing had stopped handling long-haul Internet traffic for Atrivo/Intercage within hours after our story was published. I followed up with Marc, but he was unable to produce any conclusive data showing the change.

Fast forward to today, and with the help of Jose Nazario at Arbor Networks, I was able to pull together a view of what happened. Global Crossing has in fact "de-peered" from Atrivo/Intercage, so it is no longer providing direct Internet connectivity.

I've put together short QuickTime movie that shows this de-peering in action, starting on Aug 27, the day our story on Atrivo/Intercage first ran. If you right click on the movie and save it to your hard drive before viewing it, you can actually see the route announcements for each new graphic spelled out at the top of the frame.

To better understand the animation, Atrivo/Intercage is represented by the number 27595 in the center of the graphic, with red semi-circles on the top and bottom. Global Crossing is represented by the number 3549, which you'll find directly below 27595. As the video progresses, you can see all of the routes that directly connect Atrivo and Global Crossing being peeled away like layers of an onion and reconnected to other providers.

Global Crossing did not respond to a request for comment.

Now, Atrivo/Intercage stands directly connected to the larger Internet by just two main upstream providers: Costa Mesa, Calif. based Bandcon (as represented by the number 26769 at the end of the video, and WVFiber out of Boca Raton, Fla. (WVFiber is the network at the top of the image, number 19151).

Update, Sunday, Sept. 7, 8:02 p.m.:
I spoke today with Randy Epstein, president of WVFiber and co-founder of, which acquired WVFiber just six weeks ago. Epstein said after reading reports from Security Fix,, and others about cyber crime activities at Atrivo, WVFiber has decided to drop Atrivo as a customer. WVFiber plans to stop providing upstream connectivity to Atrivo by Wednesday or Thursday at the latest, Epstein said. That would leave Atrivo with just a single upstream provider -- Bandcon.

Update, Sunday, Sept. 7, 9:15 p.m.: nLayer Communications, a company that owns a significant slice of the Internet addresses used by Atrivo/Intercage, is demanding that Atrivo vacate the space and return the addresses by Sept 30.

"Atrivo/Intercage has not been a direct customer of nLayer Communications since December 2007, but they still have some legacy reallocations from our IP space," wrote nLayer co-founder Richard A. Steenbergen, in an e-mail to Security Fix. "Since they are no longer a customer, we require that they return our non-portable IP space, and have given them a deadline of September 30th to do so. If the IP space is not returned by that point, we will follow standard procedure to reclaim it, including null routing the space, and sending cease and desist letters to any network who still transits it without our permission."

According to Steenbergen, Atrivo/Intercage must return roughly 7,400 IP addresses.

Update, Monday, Sept 8, 12:00 p.m. ET: Todd Braning, vice president of BandCon, just e-mailed me to say that BandCon also has stopped providing connectivity to Atrivo/Intercage. From his e-mail: "Intercage, a new customer, was connected to the BandCon Network for total of about a week. Once we recognized and issue with Intercage, BandCon took immediate action and terminated services. We are no longer providing services to AS27595. This can be confirmed here."

WVFiber is the only company still providing direct connectivity to Atrivo, and as stated before they plan to pull the plug by Thursday at the latest, so it appears that Atrivo will have to find another network provider or it will very soon cease to be reachable on the Internet.

By Brian Krebs  |  September 5, 2008; 10:44 AM ET
Categories:  Cyber Justice , Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Number of Bot-Infected PCs Skyrockets
Next: A Superlative Scam and Spam Site Registrar


Neat graph & animation! Will this materially impact Atrivo/Intercage immediately or just increase their risk of total cutoff?

Posted by: William | September 5, 2008 12:33 PM | Report abuse

Nice one GC :)

Though I doubt this will stop them. All they'll do is find new peers.

Posted by: MysteryFCM | September 6, 2008 11:43 AM | Report abuse

Routing is a privilege, not a right.

Posted by: SeanC | September 7, 2008 4:34 PM | Report abuse

Hey BK,
nice work with this one. you should out mccolo and every US ISP resold by and I'm tired of the US being a hotbed for Russian cybercrime because of loopholes in the American reseller model.

Posted by: anonymous2323 | September 8, 2008 4:44 PM | Report abuse

Last media reports about Russia and Russians look as return to "cold war". Doesn't matter about what West media talk - about Georgia aggression (oh, sorry, i forgot - they call it's as Georgia independence protect) or about RBN. I think that because US now near to President election and someones again looking for an enemy and need "hot" news.
Russia and Russians is not US, EU and all the world citizens enemy.
We, are Russian tired of wars, doesn't matter "cold" or "hot". We just need do business with US, EU and rest of the World. Nothing more and nothing less. For historical reason Russia e-commerce (especially when we talk about dedicated server, hosting and domain reselling services) mainly served by "e-currency" which give some anonymity for payee. As result, cyber crime gang may hide their real face and register accounts under same reseller/provider many times using different mails, ICQ's numbers etc.
Also, Russians mentality may look for west citizens like a paranoid but many LEGITIMATE Russians would not like show their real personal data like a fist and last name, address etc. Again, please do not forgot about history lesson of Stalin epoch and KGB, such paranoia understandable unfortunately.
While we all need to stop spam and illegal active please be polite and do not call all Russian Business and their partners as RBN and RBN affiliated.
When few Russian social network sites was infected by Trojan to about 300 000 visitors from Russia malware have been installed and many zombied Russian PC's still alive.
So, it is not Russians cyberwar against the world - it is problem for all of us - internet users and professionals and we need cooperate to get ceber crime down.

Here, someone who call itself as anonymous2323 talk about one of our site which used for our billing system.
I am, on behalf of Rustelekom LLC, may declare that we are not affiliated with any cyber crime gang bang and we wouldn't like support them in any form. As any firm in the world we would like grow and expand our business but with legitimate customer only.
I am, on behalf of Rustelekom LLC, invite anyone who know that any of our customer affiliate with any illegal activity contact us directly and we will take action against him.

Best Regards

Posted by: Dmitry on behalf of Rustelekom | September 8, 2008 7:35 PM | Report abuse

This was only don't because of the publicity. It should have happened EIGHT YEARS ago.

Posted by: Finaly. | September 9, 2008 4:03 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company