Spammer hijacks Tower Group's network

, posted: 28-Mar-2003 21:24

An audacious spammer hijacked a large block of unused IP (internet protocol) addresses assigned to Tower Group in Wellington, and used them to re-route traffic to servers in Florida, United States.

Some 65,000 IP addresses were taken over enabling the spammer to host any type of internet sites on the hijacked network, including illegal ones. By taking over the routes for the network and using forged registration details, the spammer's activities are hidden as they appear to come from a network assigned to Tower Group.

The hijack was discovered by accident on the SPAM-L anti-spam internet mailing list, when a systems administrator reported that his email servers were under a "dictionary attack" from spammers.

Dictionary attacks are commonly used by spammers to test for valid email addresses. The spammer runs a program that cycles through a great number of likely names used in email addresses, and tries them out against mail servers on the Internet.

The systems administrator looked up the assignment information for the block of addresses, and found that it said it had been allocated to Tower Group in Wellington. The information was changed on the 13th of this month, and the hijacker even used the existing registration details to cover his tracks.

A call to Tower Group's network security manager, Alex McGregor, confirmed that Tower Group has been allocated the block of IP addresses in question, but says it is not active on the internet and thus not advertised by the company to the world. The network has only been used internally.

McGregor says "the spammer must have noticed that the unused IP address block didn't have routes advertised", and decided to enter bogus routing information that directs traffic to servers in the US. Advertising routes is internet jargon for telling routers where to send traffic.

Spamming by the hijacker has already caused Tower Group's taken-over network to be entered into Internet blocking lists, which are used by administrators to refuse email and connections from networks seen as abusive. Once in the blocking lists, they can be hard to get out as there are many different lists operating under widely different de-listing policies.

Having been made aware of the hijack McGregor said "we were notified today [Friday] at 9am and we shut the situation down by 12:30pm."

Ed Saul, CIO of Tower Group, said the company has stopped the false route advertisements with the help of US
internet providers and

Saul stressed that at no point was Tower's physical network at risk, or any of its data. He said that "as the spammer took advantage of a weakness in the internet infrastructure, it could happen to anyone."

Other related posts:
Video: Kim Dotcom and Mathias Ortman at the IITP Mega breakfast
Two-factor authentication broken
The problem with naming and shaming

comments powered by Disqus


Google News search
IT News
PC World New Zealand
Computerworld NZ
PC World and Computerworld Australia
PC World US
Computerworld US
NZ Herald
Virus Bulletin

Content copyright © Juha Saarinen. If you wish to use the content of my blog on your site, please contact me for details. I'm usually happy to share my material as long as it's not for spamblogs and content farms. Please attribute with a link back to this blog. If you wish to advertise on my blog, please drop me an email to discuss the details.
Comments policy All comments posted on this blog are the copyright and responsibility of the submitters in question. Comments commercial and promotional in nature are not allowed. Please ensure that your comments are on topic and refrain from making personal remarks.