• Russians blamed for Identity theft and porn
• British victims may now be hit from China

The most notorious player in global cybercrime has suddenly vanished from the web, sparking fears that the Russian-based group is set to re-emerge as an even greater threat from a new base in China.

Security experts believe that the Russian Business Network (RBN), a shadowy organisation based in St. Petersburg and run by a figure known only as "Flyman", has played a role in most of the online crime committed in the UK in recent years. Dubbed "the mother of cybercrime", RBN has been linked by security firms to child pornography, corporate blackmail, spam attacks and online identity theft.

It is feared that the group is building a massive new online platform in China, allowing gangs to launch a fresh wave of online crime. "The UK has been a focus for this group and it's criminal clients, and things are set to get worse," David Perry an analyst for Trend Micro, the security group, said.

Any move to China would put the Chinese authorities under enormous pressure to take action against RBN.

Security experts say that RBN provides "bulletproof" websites to criminals. Often resembling legitimate websites, these can be used to plant malicious software in the computers of members of the public that visit them. Infected computers can be used to steal their owners' passwords, secretly send electronic junk mail or launch cyber attacks on government networks.

One alleged "phishing" gang, known as the Rock Group, which used the companies hosting service, is estimated to have made $150 million (£71.5 million) last year by tricking people into providing bank account details. The RBN is also said to have developed dozens of fake anti-spyware and anti-virus programs to dupe people into giving it access to their computers in the mistaken belief they were protecting themselves from online threats. The RBN's activities are so notorious that VeriSign, one of the worlds biggest internet security companies, has dubbed it "the baddest of the bad". Even the Bank of India was targeted, in August when rougue software designed to steal password from customers computers was discovered. The bank's website was shut down while experts debugged it.

Cyber crime has been estimated by the US Treasury to be more valuable than the illegal drugs trade - worth more than $100 billion a year.

The RBN has also been linked to Russian authorities and is thought by some analysts to have played a role in the recent assault on Estonian cyberspace. A report from Symantec, the online security firm, alleges that the RBN has links with the criminal underground and government in Russia.

However in recent days huge numbers of RBN-hosted sites have disappeared from the web, leading analysts to speculate that the group is revamping it's business model. "RBN is reorganising," said Raimund Genes, the chief technology officer of Trend Micro, a security group that has traced attacks by the RBN on corporate and government sites across Europe and US back to servers based in Panama.

One reason is thought to be the recent threats by Russian authorities to impose tougher penalties on internet criminals. Another was that large legitimate internet service providers - which the RBN relies on to provide it with internet access - have dropped it as a customer as its activities become more and more notorious. Some analysts suggested that it is aiming to be a more disparate group, with servers in Panama, Turkey, Malaysia, Singapore, China, the US and Canada.

Analysts have reported unusual bulk registries of thousands of internet web addresses in china, which they say fit the past practices of the RBN with an even broader base to support criminal activities."

• Security experts allege that the RBN "provides the plumbing" behind most crime on the web
  
  
• A typical scam might involve a cybercriminal paying the RBN to buy internet capacity to attack the website of a high street bank
  
  
• When a bank customer visits the bank website they are redirected to a mimic hosted by the RBN
  
  
• The mimic probes the customer's web browser - most commonly Microsoft's Internet Explorer - for vulnerabilities. If one is found, "downloader" software is installed through the browser, effectively creating a secret door into the PC
  
  
• That access can be used to plant software that, say, logs every keystroke made from then on by the customer
  
  
• The key logging software will be used to steal passwords and credit card numbers

  Source: Times Database