As promised, the AIRC Threat Report for November is out.
And as also promised, the link to McColo is revealed here – during the time when we were looking at the criminal server, we have had the opportunity to observe that someone is logged onto the server at the same time, and the connection came from… McColo.
For those of you who are wondering – no, we did not “hack”, “infiltrate” or “break” into the server. Sometimes the simplest things let you see what’s behind the mirror (and legally).
Recently, there has been a lot of focus from the security research community on a hosting provider named McColo corporation (out of San Jose, CA). Reports on spam, phishing and connections to Malweb distribution amongst other have been accumulating (including our own malicious server analysis which has been spotted to be administered from a McColo address).
It seems like the combination of law enforcement investigations with a recent story by the Washington Post have made their mark and McColo IP addresses have gone silent since yesterday. We’ll be looking forward to additional coverage on this in the coming days, as we are finalizing our own threat report on the eCrime server that has been analyzed, and on which we found the 200,000 compromised FTP credentials.