WingNews logo WingNews GitHub [2]
top | item 19923086

Close to 735k Fraudulently Obtained IP Addresses Uncovered and Revoked

337 points| pencilingin | 6 years ago |circleid.com

147 comments

order
[+] gscott|6 years ago|reply
I once applied for a position at what I found out to be a spam marketing company. In order to send their spam they worked with a local hosting company that would take unused legacy ip addresses and put them in their router so the spam could be sent over them. They would just burn the ip's and move on to the next set. My job would be to update their firewall with the new ips, update their mailing software with the current set of ip's each day. They made their own mailing software it had an interface like a stoplight where red meant the mail wasn't going out, yellow a lot of it was getting blocked (so move to the next ip's) and green is things are good. I didn't end up taking the position. This was around 12 years ago.
[+] dennisgorelik|6 years ago|reply
Today if you try to send a lot of emails from new IP address - most of these emails will go to spam folders (even if emails are legitimate).

In order to send large numbers of emails from an IP address -- you need to gradually ramp up number of emails sent (and have low complaint rate and low bounce rate).

[+] jokoon|6 years ago|reply
I wonder if governments could somehow vouch for emails addresses being a little like verified twitter accounts, so that we can have a good whitelist of legit email addresses.

Right now it seems gmail is benefiting from the chaos because they have the training data that allows them to know if a mail is spam. I just wish that the internet could adopt more security standards and processes. You can't trust only google now.

[+] CobrastanJorji|6 years ago|reply
I'm glad you didn't. Tech doesn't really have the ethics standards that more mature fields like law or medicine have, but they should, and that sort of thing shouldn't pass muster.
[+] spydum|6 years ago|reply
I always wondered if someone had created a biz for the purpose of hoarding IPv4 with intent to “sell them”. We talked about this kind of abuse back in the 90s when I worked for a hosting company. Part of my job was filling out ARIN templates and SWIP and all that nonsense. Justification was easy, but it occurred to me how easy it would be to fake requests and just pay the trivial fees. There were already some businesses buying up smaller companies for access to their old legacy allocations. Then the massive cloud build ours started and IP consumption became a real concern.
[+] alexpotato|6 years ago|reply
This reminds me of a conversation I had with the AC repairman last year.

Backstory: we have an old AC unit that uses freon.

The repairman mentioned that freon is no longer available for new AC units. I asked if you could still buy freon and he said yes, existing supplies were grandfathered in.

I then commented that the price of freon must have sky-rocketed and he said: "yes, it did for a while but then it became cheaper to just get a new unit rather than fill up an old unit with freon."

I would imagine that as the price of IPv4 addresses crosses some threshold, people will just start going to IPv6.

As Michael Crichton once said in one of his books: "There was no subsidy that caused people to switch from horses to cars". They were just cheaper and easier to operate.

[+] umanwizard|6 years ago|reply
There is an active, mature market for IPv4 addresses (just google "IPv4 address broker"), so it stands to reason that there are people hoarding them for speculation.

It's not free money, of course -- it's entirely possible that the value goes down, as things that reduce the pressure on the IPv4 address space slowly come online (CGNAT and IPv6)

That said, I'm a bit confused by this story. ARIN ran out of addresses in 2015, and it was my impression that since then you can't just get IPv4 addresses for free from them, which is why the above-mentioned markets exist. So, how were they able to keep running this scam after 2015?

[+] iDemonix|6 years ago|reply
I work for a UK based ISP. We have millions of unused addresses, largely because back in the 90s they were practically giving them away. We're still expanding and using up new IPs daily, but we often sell blocks when the department needs a boost...
[+] broknbottle|6 years ago|reply
Wow, I dealt with this guy / company Micfo LLC at my previous employer a few years back. He had our DC announce a range and all his documents checked out. Some other dude reached out to our ipadmin address saying we were announcing his range. The Micfo guys had forged the documents or something shady and we removed the announcement for his range. He was very upset and claimed the other party was sour over some deal. He ended up leaving when we pushed back on him announcing new ranges. He provided more excuses on why he didn't have things then actual documentation. He tried to come back a couple years later but we told him to kick rocks.
[+] jstarfish|6 years ago|reply
Micfo provides infrastructure to anonymizing VPNs (among other things). Their network is one of the more prolific sources of fraud I've ever dealt with.

It got so bad we would preemptively block all of their BGP prefixes.

I'm not surprised in the least that they would resort to owning IP spaces they didn't.

[+] codedokode|6 years ago|reply
20 years seems a little too much for the crime that doesn't involve violence. 2 or 3 years and a solid fine should be fair punishment in my opinion.
[+] paulmd|6 years ago|reply
US prison sentences are ridiculously long in general.

In principle the key word is supposed to be "up to", the judge is supposed to use their discretion.

In practice, it's used as a lever to force plea deals. If you waste the government's time and money with a trial, you probably still won't win, but now you will be doing up to 20 years. Sign here and spare us the trial and you'll get 5 years.

Of course then you have the people who are truly innocent but are forced to plea out anyway at threat of spending a significant chunk of their lives in jail...

There is also the view that extreme prison sentences are supposed to be a deterrent and thus are unfair by nature. If know you are at risk of spending 20 years in jail, you won't do the crime. Of course in many cases criminals do not really consider the risk of getting caught, and likely wouldn't know the exact penalties for a given crime anyway...

[+] SolarNet|6 years ago|reply
At some point it involved violence. It's one of those things where he provided a service that did not follow the regulations that were in part placed there to prevent crime. His violations of these regulations allow other criminals to piggyback off of him by using his services. Spammers, VPNs, and other services which criminals can use - especially with forged IP address ranges - to commit crimes. He is a middle man, and by not following regulations, he assisted all of those crimes.

Consider craigslist, they are protected by safe harbor laws because they comply with regulations and laws, even though criminal activity passes over their servers, it's a level that is deemed acceptable by society for the service they provide (given they are well regulated). When laws like FOSTA/SESTA get passed and change those regulations, some services will shut down (because they are no longer complying).

Which is why he probably deserves a larger sentence (though others have pointed out the ridiculousness of the US sentencing system and I don't disagree).

[+] MaulingMonkey|6 years ago|reply
While I'm more for rehabilitation than retribution, $10M - rough value of the stolen IPs - is a staggeringly large amount of money, around 4x the average lifetime earnings of a college graduate.

$10M can save a lot of lives, and $10M missing from shareholder's accounts and not going into employee benifit plans for healthcare etc. might very well end some. Framing that as nonviolent... is correct by the letter of the law, but it's not the way I'd frame it first and foremost.

[+] closetohome|6 years ago|reply
I love that they desperately tried to file for a restraining order the day before Christmas.

Why do grifters like this always get so defensive? If he'd just played it cool he would absolutely have had time to wind down his operation and move the money somewhere safe. Now he's just going to go to jail.

[+] VectorLock|6 years ago|reply
They're greedy enough to be defrauding people they're greedy enough to want to try to keep their shady business rolling.
[+] jtchang|6 years ago|reply
One thing that is annoying is that ARIN recently raised the amount of money it costs to maintain a /24. I was unexpectedly hit with a $500 bill when previous prices were $100. Was quite annoying considering is very little cost in providing these allocations (they really beef up their headcount). Been thinking about trying to get on the board but it is near impossible.
[+] jonawesomegreen|6 years ago|reply
I've often wondered how much of the IPv4 address space is legacy allocations that are not at all being fully utilized. Perhaps the market for IPv4 addresses has worked this out, and anyone that has such an allocation has cashed in.
[+] icedchai|6 years ago|reply
There are tons of legacy allocations from the 90's and earlier than are not being routed / utilized. Many are also assigned to defunct entities. To confirm this, you can poke around WHOIS a little bit. Because many of them actually predate ARIN's formation in 1997, they are considered "legacy" allocations and aren't charged a fee by ARIN unless the organization has opted into an agreement.
[+] broknbottle|6 years ago|reply
Here's one, it's under S-MOS Systems, Inc. (SMOSSY) which was bought by Epson the printer company. Somebody registered the domain when it expired and sold the company + "IPs" to a company I worked at in the Noc. When we went to ARIN to set everything up for rDNS, ARIN pushed back and said you do not own these, Epson own's this range. The company that sold the IPs disappeared with the money. The smos.com registration lapsed and some chinese company immediately registered the domain.

148.130.0.0/16

[+] toast0|6 years ago|reply
The IPs in question were directly assigned to the defendant by ARIN based on fraudulent requests. They weren't fraudulently transferred from existing allocations.
[+] brianwawok|6 years ago|reply
For enough dollars you can sample 100k address at random and have a decent guess?

Not everyone responds to a ping but I suspect most do

[+] _JamesA_|6 years ago|reply
Not sure if it's related or not but I was receiving spammy e-mails for a while from "Admiral Hosting":

"Mike Watson here, from Admiral Hosting. I'm touching base regarding a business opportunity. Have you ever thought about turning your IP's into profit on a monthly basis? Admiral Hosting handles dozens of such B2B projects and its dedicated technical team oversees each project’s implementation."

[+] sneak|6 years ago|reply
What is interesting to me is that you can’t really “revoke” an IP. ARIN’s authority really only comes from ISPs that listen to their recommendations in creating prefix filters.

ARIN doesn’t give you any rights to an IP, because there is no such thing.

[+] nihil75|6 years ago|reply
I think my next Halloween costume will be that generic hoodied-hacker-with-numbers-background image
[+] just_steve_h|6 years ago|reply
Does anyone know the address ranges that are affected?
[+] gregmac|6 years ago|reply
Converted (OCR) from PDF:

    IP Block            Entity              Number of IP addresses 
    ------------------- ------------------- ----------------------
    104.166.96.0/19     OppoBox             8,192 
    104.247.96.0/19     OppoBox             8,192 
    104.250.224.0/19    OppoBox             8,192 
    172.98.0.0/18       Telentia            16,384 
    174.136.192.0/18    Telentia            16,384 
    45.41.0.0/18        OppoBox             16,384 
    45.41.192.0/18      OppoBox             16,384 
    45.59.128.0/18      OppoBox             16,384 
    104.167.192.0/18    OppoBox             16,384 
    104.224.0.0/18      OppoBox             16,384 
    104.249.128.0/18    OppoBox             16,384 
    155.254.192.0/18    OppoBox             16,384 
    172.110.128.0/18    OppoBox             16,384 
    172.111.0.0/18      OppoBox             16,384 
    169.197.128.0/18    Border Technology   16,384 
    172.81.0.0/18       Border Technology   16,384 
    107.181.64.0/20     Contina             4,096
    167.160.96.0/19     Contina             8,192
    209.161.96.0/20     Telentia            4,096
    104.128.16.0/20     Telentia            4,096
    104.143.192.0/19    Telentia            8,192
    104.222.192.0/19    Telentia            8,192
    104.247.0.0/19      Telentia            8,192
    107.190.160.0/20    OppoBox             4,096
    107.182.112.0/20    OppoBox             4,096
    104.207.64.0/19     OppoBox             8,192
    155.254.96.0/19     OppoBox             8,192
    167.88.96.0/20      Virtuzo             4,096
    104.128.128.0/20    Virtuzo             4,096
    104.156.192.0/19    Virtuzo             8,192
    104.222.128.0/19    Virtuzo             8,192
    104.143.16.0/20     Roya                4,096
    104.237.80.0/20     Univera Network     4,096
    45.62.32.0/19       Univera Network     8,192
    45.61.32.0/20       Border Technology   4,096
    173.44.0.0/19       Border Technology   8,192
    172.97.80.0/20      Fiber Galaxy        4,096
    206.223.224.0/19    Fiber Galaxy        8,192
    172.102.128.0/20    Queen Systems       4,096
    209.209.224.0/19    Queen Systems       8,192
    172.110.208.0/20    Fairway Network     4,096
    207.189.0.0/19      Fairway Network     8,192
[+] pencilingin|6 years ago|reply
Yes they are listed in the indictment document released today. Link to doc is in the updated section of the post.
[+] gwbas1c|6 years ago|reply
Am I the only person who gets an HTTPS error when trying to open the link to circleid.com?
[+] cesarb|6 years ago|reply
The link is http, so you're using something (perhaps HTTPS Everywhere?) which is converting it to an https link.

According to the Qualys SSL tester (https://www.ssllabs.com/ssltest/analyze.html?d=www.circleid....), the IPv6 server for www.circleid.com has "Certificate not valid for domain name" (and the IPv4 server gets an F grade), so you're probably either using IPv6, or using IPv4 with a browser which no longer accepts the obsolete TLS 1.0 version.

[+] jvsg|6 years ago|reply
My firefox 66.0.4 doesn't trust the certificate for the website you posted.

Edit: Oh wait the link doesnt work for me even!

[+] rmbryan|6 years ago|reply
UPDATE May 15, 2019: "Charleston Man and Business Indicted in Federal Court in Over $9M Fraud" – United States Department of Justice issues a statement annoucing Amir Golestan, 36, of Charleston, and Micfo, LLC, were charged in federal court in a twenty-count indictment. The indictment charges twenty counts of wire fraud, with each count punishable by up to 20 years imprisonment.
[+] anvarik|6 years ago|reply
lol they don't even have https
[+] pencilingin|6 years ago|reply
Link Updated May 15, 2019: "Charleston Man and Business Indicted in Federal Court in Over $9M Fraud" — The indictment charges that, through this scheme, defendant obtained the rights to approximately 757,760 IP addresses, with a market value between $9,850,880.00 and $14,397,440.00."