As technological advancements are booming and the internet becomes as common to us as any other utility of the modern world, there are also some obvious and hidden risks involved when using the internet. One of the major threats we face nowadays is IP hijacking.
What is IP Hijacking?
In the digital advertising industry, IP hijacking is a fraudulent activity that basically takes over IP addresses on the internet and then uses them to commit fraud such as spamming and providing clicks on sites and online ads illegitimately. The end goal is usually to obtain illegitimate income, take away business from a competitor, or simply do harm.
The main reason why this happens is price related. Reputable IPs are expensive and need to follow certain legal protocols in order to get transferred from one owner to the other.
Sometimes an advertiser will be using hijacked IPs if the compliance
process is not carried out to the highest standards. The lack of due diligence in securing professional advice, in this case, can have a critical outcome.
Of course in a price-driven market, the costs for digital resources should be kept in check, but associating a business with hijacked IPs can hurt in the long run. Ruining the company’s image and reputation by using low-quality resources is just not worth the
risk because not only will the business bleed money, but it will also weaken the relationship with clients and partners.
How does IP Hijacking happen?
There are several ways attackers can hijack IP addresses. It typically involves searching for IPs not used on the public Internet. The most common example revolves around companies that operate on private networks. Because of that, attackers are able to use the stolen IP addresses without disrupting the private network.
Other potential targets can be organizations that hold lots of unused IP addresses. Many such entities receive or hold more IPs than they could ever need. And so, an unused asset is a double-edged sword. It’s a precious resource for companies, but an easier target for hijackers.
RIRs (Regional Internet Registries) contain information publicly available. Attackers study the entries carefully to look for older, potentially outdated registrations. These are less enforced and their lack of actuality makes them more susceptible to hijacking.
Forgery is also a common practice. Hijackers can make false Letters of Authorization (LOAs) to trick the transit network to route the network on behalf of the hijacker. That’s because an LOA is a document that enables (or entitles) an individual or organization to make network changes.
Common steps in IP Hijacking
There are several steps involved in the process of IP hijacking. After the discovery of the target IP address, a hijacker will usually attempt the following steps:
Gaining access to the target device or network
The attacker will try to gain access to the target device or network by exploiting vulnerabilities in the software or the network’s security, tricking the user into downloading malware or using stolen login credentials.
Changing the IP address settings
Once the attacker has gained access, they can change the settings of the device’s IP address to redirect traffic intended for the original device to the attacker’s own device.
Interception of traffic
The attacker is now able to intercept all the traffic intended for the original device, including sensitive information such as login credentials, financial data, and more.
Masking the attack
The attacker can mask their true identity by using the hijacked IP address to carry out malicious activities. This makes it difficult for authorities to trace the attack back to the attacker’s real location.
Effects on Digital Advertising
IP hijacking, if deliberate, can be used to divert user traffic from victim networks or even enumerate which entities are initiating connections to those networks.
For example, in April 2017, a Russian-owned Company, Rostelecom, hijacked large chunks of network traffic belonging to over two dozen financial companies including MasterCard and Visa.
Although that incident was seemingly ruled as human error, it could or might have allowed individuals to affect traffic flowing into the victim’s address space (Goodin, 2017). Widespread attacks may also lead to a total shutdown of advertising or other services by the victim networks, which would cripple sales, customer bases, and even operations.
An example is Pakistan’s shutdown of YouTube. On February 24th, 2008, Pakistan attempted to block YouTube access within its borders and ended up shutting down YouTube entirely. This underscores the dangers of IP hijacking and the potential risks it carries.
When done on a large scale, such hijackings can cause major commercial problems, especially for digital marketing and email marketing in particular.
In email marketing, IP hijacking results in a designated email address sending many emails to clients using a specific IP address that does not belong to the legitimate registrant of the IP or spamming emails sent by a particular address. The end result is a loss of business opportunities and money that would have helped the business gain traction.
Along with hijacking, fraud, and identity theft are also common. Companies set under false identities sell millions of hijacked IP addresses making a lot of money and before the rightful successors of the IPs catch on it’s already too late.
Also, the data generated from the hijackings can be used for various illegal activities including spam. For the last few years, ARIN started reporting WHOIS hackings to different law enforcement agencies in the hope it will discourage further hijackings and digital identity-related threats.
With more and more security breaches in the digital world, the complexity of guarding advertising assets is becoming more and more difficult. Cybercriminals find inventive ways to evade security measures or steal credentials in order to pose as legitimate advertisers and run malicious ads.
Delivering malware to a computer terminal through an advertisement becomes easier considering the number of intermediaries in ad networks, the ad itself goes through before reaching its consumer.
Of course, the best way to avoid IP hijacking, especially for online advertisers, is to prevent it from happening. Educating yourself and setting up a contingency plan is the best way to go about it. First off, let’s take a look at what exactly is happening when an attack is on its way and what are the protocols that are most exposed.
How IP Hijacking Works
The victim of IP hijacking can be any type of organization connected to the internet. In recent years reports of IP hijacking have reached a higher level and reports come in from world-famous companies, government institutions, and so on. So how does this happen?
As we all know by now, the Internet is made up of hundreds of thousands of interconnected networks that, although independently managed, work together in the flow of information.
Each network represents an autonomous system (AS) that
has at least one autonomous system number (ASN) which identifies it. The main identifier that permits the internet to run as it does is the IPs – the addresses assigned to each terminal using an internet connection. The protocol that makes IPs interconnect is BGP: border gateway protocol – the road or route information takes from one terminal to another.
With each exchange of information over the internet, the source IP and the destination IP are included in each data packet, as you would write addresses on a letter envelope.
Each independent network (AS) is assigned blocks of consecutive IPs and then the AS assigns individual IP addresses or chunks of the original block to its different customers.
In order for these IPs to communicate with each other or with IPs in other ASs, information packets travel through the internet with source and destination addresses and each time they hit a router, the router reads the destination address of the packet and forwards it to a certain path towards the packet’s destination. The forwarding process is done according to forwarding tables, built under the Internet routing protocol, called Border Gateway Protocol (BGP).
Each AS lets its neighbors know the IP blocks that are owned by it. For example, AS1 can announce it owns a block of IPs that are actually owned by AS2. That can happen by mistake, or it can happen due to malicious intent. In this case, internet traffic destined for that block of IPs in AS2 will actually go to AS1, because it announced IPs that are not its own.
This process is actually a BGP hijack and it can be detected by connecting a dedicated communication channel to an AS. ASs usually do not approve communication with an outside source so very few BGP announcements can be verified, so many hijacks go unnoticed.
BGP hijacking, also referred to as IP hijacking, prefix hijacking, or route hijacking, is when incorrect routing information sends internet traffic to the wrong destination.
However, hijackers do not know what attacks are noticed or not so they try to keep their interferences to a minimum by keeping the announcement a few hours tops, or announcing the IPs through private peering, and not on the internet.
This second method is mostly used for mailing purposes since the IPs are announced only to the main mail providers (Y!, Gmail, etc). Unfortunately, it’s enough to do extended damage.
Regardless of the type of attack, hijacking can cause huge damage to its victims like spying on intellectual property, breaking the confidentiality of data, future interests, directions, etc.
Repercussions
With hijacking, hackers practically use another registrant’s IPs for their own commercial purpose – digital advertising or fraudulent IP lease. For a long time, there was no legal framework to regulate IPs – repercussions for criminal activities involving IP hijacking were practically nonexistent.
As of now, there are some measures in place to effectively counter IP hijacking. Proposals have been put forward for measures to ensure service providers can only announce networks they are allowed to carry.
If we are talking about email marketing U.S. Code 1037, title 18, part I, chapter 47:
Fraud and related activity in connection with electronic mail states that any person who falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more IP addresses, who initiates the transmission of multiple commercial electronic mail messages can face various penalties such as a fine or up to 5 years in prison or both.
How can IP Hijacking be prevented?
IP hijacking is a serious cause for concern, but it can be prevented through diligence and responsibility. The fundamentals haven’t changed much, as we will see in the following sections, but there are also important steps that authorities and organizations should always be aware of.
Use strong passwords
Using strong, unique passwords for all your accounts and devices can help prevent unauthorized access and protect against IP hijacking.
Keep software up to date
Regularly updating your software and operating system will help close vulnerabilities that would otherwise let attackers exploit them to gain access to your device.
Beware of emails and links from unknown sources
Phishing attacks can trick you into revealing sensitive information or downloading malware, so be wary of emails or links from unknown sources.
Antivirus software is your best friend
Having a powerful antivirus will certainly keep your system safe from malware infections that are a breeding ground for IP hijacks.
Consider firewalls
Firewalls are a great way of protecting against unauthorized access to your device. That’s because they control incoming and outgoing network traffic.
Consider using a VPN
A VPN (Virtual Private Network) creates an encrypted connection that masks your real IP address and keeps your network traffic safe and much harder to intercept.
In conclusion, a lawsuit is highly likely to happen if the rightful successor of a range of IP addresses wants to take action against a hijacker or against a person who knowingly uses hijacked IPs and the chances for them to be legally rewarded are strong.
The top priorities registrants of new address spaces should be aware of
RIRs and IRRs (Internet Routing Registries) have improved their procedures and security enforcement. Paying attention to what competent authorities recommend or require should be an organization’s or individual’s priority.
Constantly update the registration information
The registry should always be accurate and up-to-date, containing info about your organization. In doing so, you should be promptly contacted about any possible changes that want to be made.
Keep your email, address, phone number, and everything else up-to-date, so you can act on time, should any suspicious request for change happen.
Rely on routing policy to maintain the safety
Publishing your network’s routing policy in an IRR will help other networks detect suspicious use of your addresses. That’s because traffic that’s ‘off-course’ or that takes another route will be flagged as suspicious or hijacked.
This will help network operators better monitor the network’s traffic and be able to take action. There are also open-source tools that help operators use the IRR and dedicated discussion forums.
Use RPKI (Resource Public Key Infrastructure)
RPKI is a database of digital certificates that verify the ownership of internet resources, such as IP addresses and autonomous system (AS) numbers.
The digital certificates in the database are issued by trusted organizations, and they provide a secure way of verifying that a particular IP address or AS number belongs to a specific entity.
Because of this, RPKI helps prevent IP hijacking and other types of cyber attacks on the Internet. Organizations should always opt for this signature in order to maintain ownership of their resources and keep an eye on any possible dangers.
