Hackers and Spammers Now Creating Their Own ISPs

Security researchers say botnet herders, malware authors, spammers, and other cybercriminals have begun taking matters into their own hands and creating their own ISPs. Now that even so-called “bulletproof” ISPs are being pursued and shut down, cybercriminals have decided that doing it themselves is their best bet.

They start by setting up data centers and stocking them with servers, then they seek out a local Internet registry (LIR) or a regional (RIR) one that doesn’t have the resources to verify applications as they should. In most cases anyone applying for a block of IP space must go through a screening process that includes submitting legal documents showing their business name, the names of the officers in their company, a written explanation of why they need the space, a listing of the company’s PCs, router configurations, network maps and more. By going through either local registries or ones that for one reason or another can’t or won’t do a full screening, cybercriminals are getting set up as ISPs. In many cases these less than thorough registries require nothing more than a letter explaining why the space is needed.

Once the criminals are granted the space they themselves become bulletproof. They obviously will ignore any take down orders. The best example of this kind of set up is the infamous Russian Business Network, which hosted hundreds of spammers, botnet herders, phishers, hackers and other cybercriminals. They firmly ignored take down orders and fiercely protected their customers. RBN was able to get a block of IP space because by going through a European LIR they didn’t bother doing a thorough screening and the RIR, RIPE NCC granted the space based on the LIR’s report.  RIPE defended itself saying they had no way of knowing if an applicant is up to illegal activities or not.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case.

RIPE was eventually able to close down the LIR and reclaim the space from the RBN, but the practice is still flourishing. To stop it, it’s up to LIRs and RIR to stay on the ball and thoroughly screen applicants.