[Asrg] News Article - Stealing IP address ownership to send spam
2003-06-11 12:42:01
See the following SecurityFocus article
(http://www.securityfocus.com/news/5654) and the related SlashDot story
(http://yro.slashdot.org/yro/03/06/11/1853254.shtml). Some quotes:
--snip--
"The most rapacious consumers of the stolen address space are spammers
trying to stay a step ahead of anti-spam blacklists. A /16 provides a lot
of addresses to hide behind, a lot of launch pads for unwanted e-mail,
squats for hastily-erected spamvertised websites, and attack points from
which one can scan the Internet for misconfigured proxy servers-- useful
for laundering even more spam. Some anti-spam investigators believe an
underground economy exists in which a large block of address space is
broken down and re-sold in smaller chunks like a boosted Acura in a
chop-shop. "Money is changing hands," says Kai Schlichting, a veteran
network engineer who tracks down stolen IP space in his spare time. "I
wouldn't be surprised if you could sell a /16 for $100,000 in bits and pieces."
" But elsewhere the scam has intensified in recent months, with at least
seven large allocations found newly-diverted, and countless other cases
suspected. Last month anti-spam groups and concerned network operators
formed a private mailing list to investigate the phenomenon outside the
view of cyberjackers. "There's anything up to 100 of these blocks out there
on the loose," estimates Richard Cox, an IT forensics guru with Mandarin
Technology in the U.K. "That's the magnitude that we're dealing with here."
"Network operators were galvanized by a particularly brazen case in April,
when a trail of spam led to the discovery that no-less than six /16s --
nearly 400,000 addresses -- had been misappropriated from Trafalgar House,
a British construction and shipping conglomerate that's now part of Aker
Kvaerner, headquartered in Norway. From the U.K., Cox discovered that the
perpetrators conned the American Registry for Internet Numbers (ARIN) into
changing the contact information for the space. One of the /16s was traced
to a Dutch spammer, and the other five to a mysterious company called
"Fedfinancial Corp."
Fedfinancial managed to convince ARIN that it had been contracted to
provide network management services for Trafalgar. ARIN won't say exactly
how it was swindled, but registration records show the grifters had an
authentic-looking e-mail address at a newly-minted "traf-infosystems.net"
domain, and a genuine street address with matching voice and fax telephone
numbers. But the phone numbers ring to Nevada and Offshore Business
Formation, a company that sets up corporations for a fee, and takes orders
over the Web. Public records show that they incorporated Fedfinancial as a
Nevada corporation last January, on behalf of an unnamed client. The street
address is also theirs. "
"But like the mob moving in on a neighborhood poker game, spammers have
turned a once-harmless misdemeanor into an organized and well-funded
scheme. Internet defenders shudder at the thought of large portions of the
net's real-estate under the control of anonymous rogue entities. "There's
no accountability. You don't know who really owns this particular address
space. You have no way of finding out," says Schlichting." Some even worry
that malefactors will go a step further, and begin hijacking address space
that's already in active use. "This whole episode has identified huge
weaknesses in the Internet's own infrastructure," says Cox. "What we've
seen happen is trivial compared to what we've seen possible."
--snip--
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread> |
- [Asrg] News Article - Stealing IP address ownership to send spam,
Yakov Shafranovich <=
|
|
|