US network operator Verizon Communications is routing over 4 million IP addresses that are currently in the hands of cybercriminals, researchers at The Spamhaus Project reveal.
Spammers have been acquiring large ranges of IP addresses over the past few years to serve their nefarious purposes, as they can defeat spam filters by spreading sending patterns across a wide range of IP addresses. With IPv4 addresses being hard to come by these days, especially since the IANA (Internet Assigned Numbers Authority) allocated the last IP address blocks from the global IPv4 central address pool in February 2011, cybercriminals have turned to stealing IP address blocks.
Because there is no easy way for spammers to obtain new IP addresses through legitimate means, they are looking to grab IP address blocks that are dormant because their rightful owners are not using them. The black market for IP addresses is thriving given that a cybercriminal stealing a large IP address block can generate thousands of dollars per month.
However, cybercriminals also need to find an Internet Service Provider (ISP) or network that can route the stolen IP addresses to the rest of the Internet by using an autonomous system number (ASN). Spamhaus Project’s Barry Branagh explains in a blog post that cybercriminals are also seeking ISPs that won’t be looking closely at the routing request, which also means that they need to present authorization documents, which usually are forged ones.
In this context, Verizon’s network appears to have been the target of choice for some cybercriminals looking to route their IP addresses block, turning it into the largest single source of snowshoe spam in operation today. The researchers also warn that Verizon also has over 80 SBL listings at the moment and that it ranks sixth in The Spamhaus Project’s “The World’s Worst Spam Support ISPs” list.
Researchers have discovered that the majority of IP addresses ranges are owner primarily by Chinese and Korean ISPs and that they haven’t been used for about a decade until 2013. However, they have been already terminated from Asian hosts for spamming, and have been recently announced by AS7046, which is registered to UUnet Technologies, a company acquired by Verizon in 2006.
One of the affected networks was found to still exist, namely Pubnet Plus, which started out in the 1990s in Korea as a project aimed at increasing connectivity of public institutions. The assets of Pubnet Plus are now owned by South Korean carrier LG Uplus, Branagh notes, while explaining that the operator has been notified on the matter, although it did not provide a response as of yet.
Spamhaus researchers also note that, while they are unsure whether the Chinese and Korean ISPs are still in business, they do believe that it is unlikely that they are leasing their IP addresses to spam operations. Most likely, the IP addresses were hijacked and ISPs, including Verizon, were deceived into announcing these hijacked ranges.
This would be the case with the IP address ranges 18.104.22.168/16, which belonged to the US-based Information Access Center, a company that was acquired by the Thompson-Reuters Corporation (TRI). With the reputable news and information powerhouse highly unlikely to willing to lease their IP addresses to spammers and Verizon announcing the range, it is clear that the carrier was tricked by cybercriminals into doing so (Verizon stopped announcing the 22.214.171.124/16 range in November 2015).
According to Branagh, the issue is that Verizon did not immediately accurately verified the customers requesting it to route huge IP address blocks assigned to entities in the Asian-Pacific area. He also notes that Verizon has been repeatedly notified about the problem for the past half a year, and that the spam and cybercrime keeps flowing, despite Verizon employees committing to look into the situation.
The researcher also explains that the complaints about spam and abuse from these IP address blocks go to their official owners, which are the Chinese and Korean companies that are apparently either defunct, or are controlled by the spammers. Verizon should be receiving these complaints, but that does not happen, since the Whois contacts for these ranges don’t belong to the carrier.
Contacted by SecurityWeek, Verizon said that it was aware of the Spamhaus claims and post, but did not reject any of its claims.
“Reflecting our commitment to combating internet abuse, we have a program that involves education and notification for our end users and provide tools making reporting internet abuse to us easy,” a company spokesperson told SecurityWeek. The spokesperson also pointed to a dedicated abuse team “ensuring compliance with our Acceptable Use Policy” which is available online.
According to Branagh, Verizon is failing at properly vetting IP address ranges for which it provides transit, despite the fact that it has an anti-spam policy and took part in working groups such as M3AAWG. Fact is that, at the moment, the carrier is routing illicitly obtained IP address for spammers, which is making it directly responsible for facilitating cybercrime that affects millions of Internet users and networks.