The most notorious player in global cybercrime has suddenly vanished from the web, sparking fears that the Russian-based group is set to re-emerge as an even greater threat from a new base in China.

Security experts believe that the Russian Business Network (RBN), a shadowy organisation based in St Petersburg and run by a figure known only as “Flyman”, has played a role in most of the online crime committed in the UK in recent years. Dubbed “the mother of cybercrime”, RBN has been linked by security firms to child pornography, corporate blackmail, spam attacks and online identity theft.

It is feared that the group is building a massive new online platform in China, allowing gangs to launch a fresh wave of online crime. “The UK has been a focus for this group and its criminal clients, and things are set to get worse,” David Perry, an analyst for Trend Micro, the security group, said.

Any move to China would put the Chinese authorities under enormous pressure to take action against RBN.

Security experts say that RBN provides “bulletproof” websites to criminals. Often resembling legitimate websites, these can be used to plant malicious software in the computers of members of the public that visit them. Infected computers can be used to steal their owners’ passwords, secretly send electronic junk mail or launch cyber attacks on government networks.

One alleged “phishing” gang, known as the Rock Group, which used the company’s hosting service, is estimated to have made $150 million (£71.5 million) last year by tricking people into providing bank account details. The RBN is also said to have developed dozens of fake anti-spyware and anti-virus programmes to dupe people into giving it access to their computers in the mistaken belief that they were protecting themselves from online threats. The RBN’s activities are so notorious that VeriSign, one of the world’s biggest internet security companies, has dubbed it “the baddest of the bad”. Even the Bank of India was targeted, in August, when rogue software designed to steal passwords from customers’ computers was discovered. The bank’s website was shut down while experts debugged it.

Cybercrime has been estimated by the US Treasury to be more valuable than the illegal drugs trade — worth more than $100 billion a year.

The RBN has also been linked to the Russian authorities and is thought by some analysts to have played a role in the recent assault on Estonian cyberspace. A report from Symantec, the online security firm, alleges that the RBN has links with the criminal underground and government in Russia.

However, in recent days huge numbers of RBN-hosted sites have disappeared from the web, leading analysts to speculate that the group is revamping its business model. “RBN is reorganising,” said Raimund Genes, the chief technology officer of Trend Micro, a security group that has traced attacks by the RBN on corporate and government sites across Europe and US back to servers based in Panama.

One reason is thought to be the recent threats by Russian authorities to impose tougher penalties on internet criminals. Another was that large legitimate internet service providers – which the RBN relies on to provide it with internet access – have dropped it as a customer as its activities became more and more notorious. Some analysts suggested that it is aiming to become a more disparate group, with servers in Panama, Turkey, Malaysia, Singapore, China, the US and Canada.

Analysts have reported unusual bulk registries of thousands of internet web addresses in China, which they say fit the past practices of the RBN. China would provide the RBN with an even broader base to support criminal activities.

Gone phishing

— Security experts allege that the RBN “provides the plumbing" behind most crime on the web

— A typical scam might involve a cybercriminal paying the RBN to buy internet capacity to attack the website of a high street bank

— When a bank customer visits the bank website they are redirected to a mimic hosted by the RBN

— The mimic probes the customer’s web browser — most commonly Microsoft’s Internet Explorer — for vulnerabilities. If one is found, “downloader” software is installed through the browser, effectively creating a secret door into the PC

— That access can be used to plant software that, say, logs every keystroke made from then on by the customer

— The keylogging software will be used to steal passwords and credit card numbers

Source: Times Database

Times recommends

• From joystick to helmet: it's all in the mind
• 'Maniacal' engineer takes city computers hostage
• 3G iPhone review: fast but power-hungry