Hijack Factories: AS203418, AS205944, and AS203040

• Previous message (by thread): MPLS Usage Survey
• Next message (by thread): Hijack Factories: AS203418, AS205944, and AS203040
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Executive Summary:

    AS203418 (Marketigames, LLC), together with its one and only
    immediate IPv4 upstream, AS203040 (Mint Company, LLC), and its
    sister network, AS205944 (MediaClick, LLC) either are currently
    hijacking or have recently hijacked multiple abandoned /16 IPv4
    address blocks, apparently with the intent of leasing out this
    hijacked IPv4 space to snowshoe spammers, in particular, to
    Clickjet Media (clickjetmedia.com).  Readers who may be peering
    with AS203040, in particular, are encouraged to cease doing so.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_

I believe that this listing of 13 separate /16 routes makes it self-evident
what is going on here:

    https://bgp.he.net/AS203418#_prefixes

(Please note that a screenshot of the above page has been archived here for
posterity: http://i.imgur.com/Ws2aKkz.png)

The hijacks currently being perpetrated by this ASN (AS203418 - Marketigames,
LLC) are, in my opinion, both brazen and audacious.  I wouldn't mind, but
other evidence indicates persuasively that at least one of these hijacked
/16 blocks (140.167.0.0/16) has already been put into use as a snowshoe
spamming source.

The following file contains a listing of numerous domain names that currently
have associated SPF TXT records permitting these domains to send outbound
emails from various parts of the (hijacked) 140.167.0.0/16 block:

    https://pastebin.com/raw/0EjThpR8

It is also interesting that a great many of the domain names listed in the
above file in fact resolve to the IPv4 address 216.128.69.220, which is
within a /24 block (216.128.69.0/24) which is ostensibly registered to an
entity calling itself "Big Hosting Plus" (aka bighostingplus.com) allegedly
of Albuquerque, New Mexico.  A brief perusal of the WHOIS record associated
with the contact domain name for that IPv4 block (bighostingplus.com) shows
however the identity of the party that is actually pulling the strings here,
i.e. a company called Clickjet Media of Glendale, California, aka
clickjetmedia.com:

    https://pastebin.com/raw/h9cuGSdK

I should note that the ARIN sub-SWIP for the 216.128.69.0/24 block is not the
only instance in which Clickjet Media has followed this exact same playbook.
I have previously identified the following four additional fradulent ARIN
sub-SWIPs where ClickJet Media is, evidently, the real entity behind the
deliberately fictitious ARIN sub-SWIPs:

    High Point Host ARB-69-1-227-0 (NET-69-1-227-0-1) 69.1.227.0 - 69.1.227.255
    Pleasant Hosting ARB-69-1-228-0 (NET-69-1-228-0-1) 69.1.228.0 - 69.1.228.255
    Quasi Hosting ARB-69-1-254-0 (NET-69-1-254-0-1) 69.1.254.0 - 69.1.254.255
    Green River Hosting ARB-69-1-255-0 (NET-69-1-255-0-1) 69.1.255.0 - 69.1.255.255

Here is the archived evidence supporting my contentions as they relate to the
above four ARIN sub-SWIPs:

  ARIN sub-SWIP records:

    https://pastebin.com/raw/UDBQKDiC
    https://pastebin.com/raw/hpDUqLFF
    https://pastebin.com/raw/7zdZLw01
    https://pastebin.com/raw/gvXNwbJW

  Associated domain WHOIS records:

    https://pastebin.com/raw/pHLGRJux  (highpointhost.com)
    https://pastebin.com/raw/V91DTsX1  (pleasanthosting.com)
    https://pastebin.com/raw/SxqzQy2v  (quasihosting.com)
    https://pastebin.com/raw/2qv5xDsE  (greenriverhosting.com)

I should note for the sake of completeness that the listing of the 13 hijacked
/16 blocks linked to above, as currently presented on the bgp.he.net web site,
is in fact a somewhat stale listing.  All of those thirteen /16 blocks were
in fact hijacked by AS203418 as of yesterday, however as of this writing, it
would appear that only the following nine /16 blocks are still hijacked at
this moment (although this is hardly a cause for celebration):

    116.79.0.0/16
    116.144.0.0/16
    116.152.0.0/16
    116.166.0.0/16
    116.181.0.0/16
    128.13.0.0/16
    134.22.0.0/16
    140.167.0.0/16
    148.154.0.0/16

Naturally, readers will ask "Who or what is AS203418?"  It is registered using
the name Marketigames, LLC, which is apparently a properly registered Delaware
LLC.  Beyond that it is difficult to find any other definitive info.  The main
web site for this entity (http://marketigames.biz/) is mostly devoid of any
information that would allow us to know who is really behind this entity.
Contact information is provided on the web site however, as follows:

    MarketiGames LLC,
    4283 Express Lane,Suite 315-592, Sarasota, FL 34238
    Phone :  217-717-9384

Googling the street address indicates that it is most often associated
with fradulent activity on the Internet (e.g. frudulent attempts to order
products).  The area code 217 is associated with the Chicago area, not
Florida and not Delaware.

Although this entity (MarketiGames) does have its own ASN, it also appears to
have a number of valid ARIN IP block allocations which are not currently
routed by its own ASN:

    104.218.224.0/22   (NET-104-218-224-0-1)
    104.244.88.0/21   (NET-104-244-88-0-1)
    104.245.40.0/21   (NET-104-245-40-0-1)
    104.245.248.0/21  (NET-104-245-248-0-1)
    173.234.197.0/24  (NET-173-234-197-0-1)
    2620:125:C000::/40 (NET6-2620-125-C000-1)

Historical passive DNS data appears to indicate that some or all of the above
blocks have historically also been used to support snowshoe spamming.

Data available from the interactive RIPE Routing History web service
indicates clearly that it is not only AS203418 (Marketigames, LLC) that
has been involved in the hijacking of abandoned /16 blocks, but also
and likewise its immediate upstream AS203040 (Mint Company, LLC), and its
sister network, AS205944 (MediaClick, LLC).  RIPE Routing History shows
that all three of these ASNs have, at various times, hijacked the
116.79.0.0/16 block, for example.

The implication seems clear.  All three of these ASNs have been working
together to hijack abandoned /16 blocks for purposes of hosting snowshoe
spamming operations.  Because both AS203418 and AS205944 only peer with
AS203040 (Mint Company, LLC) it is evident that the real problem here is
Mint Company, LLC and the peering its ASN (AS203040) currently enjoys.

Data provided by bgp.he.net indicates that the top three peers of AS203040
are currently as follows:

    AS24785  Open Peering B.V.
    AS20562  Open Peering B.V.
    AS6939   Hurricane Electric, Inc.

I will be contacting these companies and asking them to de-peer from AS203040.
I make the same request, here and now, to all other networks that may be
peering with AS203040.  Please stop that peering.


Regards,
rfg

• Previous message (by thread): MPLS Usage Survey
• Next message (by thread): Hijack Factories: AS203418, AS205944, and AS203040
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]