Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Verizon Accused of Routing Millions of IP Addresses for Cybercriminals

US network operator Verizon Communications is routing over 4 million IP addresses that are currently in the hands of cybercriminals, researchers at The Spamhaus Project reveal.

US network operator Verizon Communications is routing over 4 million IP addresses that are currently in the hands of cybercriminals, researchers at The Spamhaus Project reveal.

Spammers have been acquiring large ranges of IP addresses over the past few years to serve their nefarious purposes, as they can defeat spam filters by spreading sending patterns across a wide range of IP addresses. With IPv4 addresses being hard to come by these days, especially since the IANA (Internet Assigned Numbers Authority) allocated the last IP address blocks from the global IPv4 central address pool in February 2011, cybercriminals have turned to stealing IP address blocks.

Because there is no easy way for spammers to obtain new IP addresses through legitimate means, they are looking to grab IP address blocks that are dormant because their rightful owners are not using them. The black market for IP addresses is thriving given that a cybercriminal stealing a large IP address block can generate thousands of dollars per month.

SPAM Using IPsHowever, cybercriminals also need to find an Internet Service Provider (ISP) or network that can route the stolen IP addresses to the rest of the Internet by using an autonomous system number (ASN). Spamhaus Project’s Barry Branagh explains in a blog post that cybercriminals are also seeking ISPs that won’t be looking closely at the routing request, which also means that they need to present authorization documents, which usually are forged ones.

In this context, Verizon’s network appears to have been the target of choice for some cybercriminals looking to route their IP addresses block, turning it into the largest single source of snowshoe spam in operation today. The researchers also warn that Verizon also has over 80 SBL listings at the moment and that it ranks sixth in The Spamhaus Project’s “The World’s Worst Spam Support ISPs” list.

Researchers have discovered that the majority of IP addresses ranges are owner primarily by Chinese and Korean ISPs and that they haven’t been used for about a decade until 2013. However, they have been already terminated from Asian hosts for spamming, and have been recently announced by AS7046, which is registered to UUnet Technologies, a company acquired by Verizon in 2006.

One of the affected networks was found to still exist, namely Pubnet Plus, which started out in the 1990s in Korea as a project aimed at increasing connectivity of public institutions. The assets of Pubnet Plus are now owned by South Korean carrier LG Uplus, Branagh notes, while explaining that the operator has been notified on the matter, although it did not provide a response as of yet.

Spamhaus researchers also note that, while they are unsure whether the Chinese and Korean ISPs are still in business, they do believe that it is unlikely that they are leasing their IP addresses to spam operations. Most likely, the IP addresses were hijacked and ISPs, including Verizon, were deceived into announcing these hijacked ranges.

Advertisement. Scroll to continue reading.

This would be the case with the IP address ranges, which belonged to the US-based Information Access Center, a company that was acquired by the Thompson-Reuters Corporation (TRI). With the reputable news and information powerhouse highly unlikely to willing to lease their IP addresses to spammers and Verizon announcing the range, it is clear that the carrier was tricked by cybercriminals into doing so (Verizon stopped announcing the range in November 2015).

According to Branagh, the issue is that Verizon did not immediately accurately verified the customers requesting it to route huge IP address blocks assigned to entities in the Asian-Pacific area. He also notes that Verizon has been repeatedly notified about the problem for the past half a year, and that the spam and cybercrime keeps flowing, despite Verizon employees committing to look into the situation.

The researcher also explains that the complaints about spam and abuse from these IP address blocks go to their official owners, which are the Chinese and Korean companies that are apparently either defunct, or are controlled by the spammers. Verizon should be receiving these complaints, but that does not happen, since the Whois contacts for these ranges don’t belong to the carrier.

Contacted by SecurityWeek, Verizon said that it was aware of the Spamhaus claims and post, but did not reject any of its claims.

“Reflecting our commitment to combating internet abuse, we have a program that involves education and notification for our end users and provide tools making reporting internet abuse to us easy,” a company spokesperson told SecurityWeek. The spokesperson also pointed to a dedicated abuse team “ensuring compliance with our Acceptable Use Policy” which is available online.

According to Branagh, Verizon is failing at properly vetting IP address ranges for which it provides transit, despite the fact that it has an anti-spam policy and took part in working groups such as M3AAWG. Fact is that, at the moment, the carrier is routing illicitly obtained IP address for spammers, which is making it directly responsible for facilitating cybercrime that affects millions of Internet users and networks.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...