"We got the report, and it looked pretty damning," said Benny Ng, director of infrastructure at Hurricane Electric, of Fremont, Calif. "They were a client of ours, and we turned them off."
Global Crossing did the same thing, security researchers said, though it didn't respond to interview requests.
McColo didn't answer messages seeking comment, and its website was off-line late Thursday. The company is now under FBI scrutiny, people familiar with the case said. An agency spokesman said the FBI wouldn't confirm or deny an active investigation.
Among other things, the researchers alleged that McColo operated servers that were used to control armies of drone computers that sent spam and siphoned financial information from those computers' owners, as well as servers used in offering child pornography.
The criminal groups that allegedly used McColo are largely believed to be based overseas. The groups now have to find other service providers.
"They're just like cockroaches; they'll scurry and set up operations other places," Ferguson said. "We're watching them do it, and maybe we'll be able to identify who is pulling the strings in Eastern Europe."
Several other contributors to the report, published at HostExploit.com, were identified by first name only, and its editor uses a pseudonym, Jart Armin. Some researchers don't want to cause controversy for their various corporate employers, while others fear physical harm from organized criminal groups behind child porn and fraudulent activity.
"The majority of the mainstream does care," said Armin, who described himself as a financial services security consultant. "As the community, we need to continuously remind or shame the others into caring. When the industry takes a proactive stance, many of the problems can be resolved."
Members of the band have different specialties, including tracing Internet traffic, analyzing how malicious software works and attributing spam to specific groups.
What they have in common is frustration -- at the enormous problems U.S. law enforcement has in pursuing suspects overseas; at the cloak of plausible deniability that allows bad operators to keep doing business with larger and more reputable firms; and at the inability of software to prevent consumers from being ripped off.
Unfortunately, the new approach would have been far more effective a few years ago. Server hosting companies and high-speed Internet providers are now easier to find around the world. And drone armies of computers can now be operated without having a single machine in charge, making them less vulnerable to a fatal beheading.
A September effort by Armin's team focused on another hosting company, Atrivo/Intercage, and when major Internet carriers dropped that company, spam fell 10%. Some Atrivo/Intercage customers switched to McColo, the new report says, and the volume went back up. More reports are being prepared.
"People thought the first community-source effort was a fluke," Ferguson said. "Now they see with McColo, it's not a fluke. The community can police its own backyard and purge the badness."
--
joseph.menn@latimes.com
