One month after the shutdown of hosting provider McColo Corp., spam volumes are nearly back to the levels seen prior to the company's take down by its upstream Internet providers. But according to one noted fraud expert, spam wasn't the only thing that may have been routed through the Silicon Valley based host: New evidence found that retail fraud dropped significantly on the same day.

It is unclear whether the decrease in retail fraud is related to the McColo situation, but in speaking with Ori Eisen, founder of 41st Parameter, he said close to a quarter of a million dollars worth of fraudulent charges that his customers battle every day came to a halt.

Eisen, whose company provides anti-fraud consulting to a number of big retailers and banks, told me at least two of the largest retailers his company serves reported massive declines in fraud rates directly following McColo's termination.

"It stopped completely that night," Eisen said, referring to a drop in fraudulent activity linked to purchases of high-value merchandise with stolen credit and debit cards on Nov. 11, the day McColo was shut down. "Yet, it will come back after [the scammers] erect their new infrastructure."

Eisen's testimony suggests that a great many fraudsters may have been using McColo to funnel their Internet connections when attempting to purchase goods from retailer sites.

In a follow-up blog post about the casualties of the McColo disconnection, Security Fix called attention to a Web site called "fraudcrew.com," a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others. Fraudcrew.com was hosted on McColo's servers.

From that piece:

There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives.

These masking services provide a software program that allows the user to pick from a drop down list of Internet addresses to proxy through. For example, if a user in Ukraine, has stolen the user name and password that Joe from St. Louis uses to access his bank online, that user can simply select a node in the proxy list that's in St. Louis, and the bank site will be none the wiser that the person logging in is not actually in St. Louis.

It is impossible to say whether the same individuals who were funneling their spam operations through McColo have moved elsewhere. For its part, Fraudcrew appears to have found a new host, a provider in Luxembourg.

Spam volumes have since risen almost to pre-McColo levels in the past month. Some of this resurgence has been sporadic, thanks in no small part to the efforts of FireEye, a Milpitas, Calif., based security startup, which has kept pressure on Internet service providers not to associate themselves with the spam gangs that have been trying to regain control over their herds of spam spewing zombie PCs. Interested readers can learn more about these efforts by visiting the always-interesting FireEye blog, at this link here.

voices.washingtonpost.com/securityfix/2008/12/mccolo_shutdown_killed_retaile.html