Spammers behind most of today's network hijacking events

Sep 27, 2016 02:35 GMT  ·  By

Spamhaus, the organization that runs one of the Internet's largest, most accurate and up-to-date spam list, is warning against a spike in network hijacking events.

Network or BGP hijacking occurs when an ISP falsely announces to other service providers that an IP range has been found on its network, when it has not.

That ISP can then receive traffic destined for that range of IPs, but it can also send traffic on behalf of the hijacked network.

Spammers guilty for most network hijacks

While receiving hijacked traffic might be of interest for nation-state actors, as Bruce Schneier warned last week, sending traffic from a hijacked network is a spammer's dream.

Spamhaus says that, in the past three years, BGP hijacks have grown in number, with most of these events occurring because of spammers, and not nation-state actors.

The organization says this is happening because of the shrinking IPv4 space. As more IP ranges get blacklisted on Spamhaus, as well as on other IP blacklisting services, spammers are getting more desperate.

ARIN had previously warned about IPv4 hijacking

In most cases, network hijacks occur when spammers find various methods of taking over legacy IP ranges, assigned to companies that don't seem to care about their IPv4 space.

ARIN (American Registry for Internet Numbers) has also warned against an increase in IPv4 range hijacks in June, revealing that crooks are registering fake companies or re-registering old domain names in order to take over older IPv4 ranges.

ARIN can do little about it since the 14,000 legacy IPv4 ranges it manages don't have an active contact person, so when someone reclaims the IP range, they have to follow procedure.

Spammers can get creative when they need to

Spamhaus detailed one such case on its blog yesterday, revealing that a known spam operator has managed to take over the IPv4 space of a legitimate company by impersonating its webmaster, who passed away a few years before the hijack.

Using his name and an email address from a look-alike domain, the spammer managed to take over the IPv4 range and then route it through his desired ISP, where he was hosting a spam botnet.

"Who can help stop these hijackings?" the Spamhaus team asks. "ARIN has stated that it must abide by procedures defined via its Policy Development Process, which sometimes can limit ARIN's ability to take action, even when notified of false information being added to its records."

"It would seem that this activity will continue to be a problem until law enforcement starts to prosecute these criminal hijacking gangs and the spammers they conspire with," Spamhaus adds.

Timeline of network hijacking events
Timeline of network hijacking events

Photo Gallery (2 Images)

Spammers behind most of today's network hijacking events
Timeline of network hijacking events
Open gallery