Spammers have been working methodically to hijack large chunks of Internet real estate by exploiting a technical and bureaucratic loophole in the way that various regions of the globe keep track of the world’s Internet address ranges.

Last week, KrebsOnSecurity featured an in-depth piece about a well-known junk email artist who acknowledged sending from two Bulgarian hosting providers. These two providers had commandeered tens of thousands of Internet addresses from ISPs around the globe, including Brazil, China, India, Japan, Mexico, South Africa, Taiwan and Vietnam.

For example, a closer look at the Internet addresses hijacked by one of the Bulgarian providers — aptly named “Mega-Spred” with an email contact of “abuse@grimhosting” — shows that this provider has been slowly  gobbling up far-flung IP address ranges since late August 2014.

According to several security and anti-spam experts who’ve been following this activity, Mega-Spred and the other hosting provider in question (known as Kandi EOOD) have been taking advantage of an administrative weakness in the way that some countries and regions of the world keep tabs on the IP address ranges assigned to various hosting providers and ISPs. Neither Kandi nor Mega-Spred responded to requests for comment.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

Experts say the hijackers also are exploiting a fundamental problem with record-keeping activities of RIPE NCC, the regional Internet registry (RIR) that oversees the allocation and registration of IP addresses for Europe, the Middle East and parts of Central Asia. RIPE is one of several RIRs, including ARIN (which handles mostly North American IP space) and APNIC (Asia Pacific), LACNIC (Latin America) and AFRINIC (Africa).

Ron Guilmette, an anti-spam crusader who is active in numerous Internet governance communities, said the problem is that a network owner in RIPE’s region can hijack Internet addresses that belong to network owners in regions managed by other RIRs, and if the hijackers then claim to RIPE that they’re the rightful owners of those hijacked IP ranges, RIPE will simply accept that claim without verifying or authenticating it.

Worse yet, Guilmette and others say, those bogus entries — once accepted by RIPE — get exported to other databases that are used to check the validity of global IP address routing tables, meaning that parties all over the Internet who are checking the validity of a route may be doing so against bogus information created by the hijacker himself.

“RIPE is now acutely aware of what is going on, and what has been going on, with the blatantly crooked activities of this rogue provider,” Guilmette said. “However, due to the exceptionally clever way that the proprietors of Mega-Spred have performed their hijacks, the people at RIPE still can’t even agree on how to even undo this mess, let alone how to prevent it from happening again in the future.”

And here is where the story perhaps unavoidably warps into Geek Factor 5. For its part, RIPE said in an emailed statement to KrebsOnSecurity that the RIPE NCC has no knowledge of the agreements made between network operators or with address space holders.

“It’s important to note the distinction between an Internet Number Registry (INR) and an Internet Routing Registry (IRR). The RIPE Database (and many of the other RIR databases) combine these separate functionalities. An INR records who holds which Internet number resources, and the sub-allocations and assignments they have made to End Users.

On the other hand, an IRRcontains route and other objects — which detail a network’s policies regarding who it will peer with, along with the Internet number resources reachable through a specific ASN/network. There are 34 separate IRRs globally — therefore, this isn’t something that happens at the RIR level, but rather at the Internet Routing Registry level.”

“It is not possible therefore for the RIRs to verify the routing information entered into Internet Routing Registries or monitor the accuracy of the route objects,” the organization concluded.

Guilmette said RIPE’s response seems crafted to draw attention away from RIPE’s central role in this mess.

“That it is somewhat disingenuous, I think for this RIPE representative to wave this whole mess off as a problem with the
IRRs when in this specific case, the IRR that first accepted and then promulgated these bogus routing validation records was RIPE,” he said.

RIPE notes that network owners can reduce the occurrence of IP address hijacking by taking advantage of Resource Certification (RPKI), a free service to RIPE members and non-members that allows network operators to request a digital certificate listing the Internet number resources they hold. This allows other network operators to verify that routing information contained in this system is published by the legitimate holder of the resources. In addition, the system enables the holder to receive notifications when a routing prefix is hijacked, RIPE said.

While RPKI (and other solutions to this project, such as DNSSEC) have been around for years, obviously not all network providers currently deploy these security methods. Erik Bais, a director at A2B Internet BV — a Dutch ISP — said while broader adoption of solutions like RPKI would certainly help in the long run, one short-term fix is for RIPE to block its Internet providers from claiming routes in address ranges managed by other RIRs.

“This is a quick fix, but it will break things in the future for legitimate usage,” Bais said.

According to RIPE, this very issue was discussed at length at the recent RIPE 69 Meeting in London last week.

“The RIPE NCC is now working with the RIPE community to investigate ways of making such improvements,” RIPE said in a statement.

This is a complex problem to be sure, but I think this story is a great reminder of two qualities about Internet security in general that are fairly static (for better or worse): First, much of the Internet works thanks to the efforts of a relatively small group of people who work very hard to balance openness and ease-of-use with security and stability concerns. Second, global Internet address routing issues are extraordinarily complex — not just in technical terms but also because they also require coordination and consensus between and among multiple stakeholders with sometimes radically different geographic and cultural perspectives. Unfortunately, complexity is the enemy of security, and spammers and other ne’er-do-wells understand and exploit this gap as often as possible.

Adobe and Microsoft today each issued security updates to fix critical vulnerabilities in their software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. Separately, Adobe issued an update for its Flash Player software that corrects at least 18 security issues.

Microsoft announced 16 bulletins, but curiously two of those are listed as pending. Topping the list of critical updates from Microsoft is a fix for a zero-day vulnerability disclosed last month that hackers have been using in targeted cyber espionage attacks. Another critical patch targets 17 weaknesses in Internet Explorer, including a remotely exploitable vulnerability in all supported versions of Windows that earned a CVSS score of 9.3 (meaning it is highly likely to be exploited in drive-by attacks, and probably soon).

That flaw is a rare “unicorn-like” bug according to IBM X-Force, which discovered and reported the issue privately to Microsoft. In a blog post published today, IBM researchers described how the vulnerability can be used to sidestep the Enhanced Protected Mode sandbox in IE11, as well as Microsoft’s EMET anti-exploitation tool that Microsoft offers for free.

“In this case, the buggy code is at least 19 years old, and has been remotely exploitable for the past 18 years,” writes IBM researcher Robert Freeman. “Looking at the original release code of Windows 95, the problem is present. In some respects this vulnerability has been sitting in plain sight for a long time, despite many other bugs being discovered and patched in the same Windows library (OleAut32).”

Freeman said while unpatched Internet Explorer users are most at risk from this bug, the vulnerability also could be exploited through Microsoft Office files. “The other attack vectors this vulnerability could work with are Microsoft Office with script macros, for example in Excel documents,” Freeman told KrebsOnSecurity. “Most versions of Office (since about 2003) have macros disabled by default so the user would have to enable them (which can be a fairly mindless YES click at the top of the screen). Or if a user is using an old enough version of Office, the macros will be enabled by default.”

According to Shavlik, the two pending patches, MS14-068 and MS14-075, are both listed on the bulletin summary page as “release date to be determined,” which apparently is an anomaly we haven’t seen before. “Typically, a pulled patch is removed from the list entirely,” wrote Chris Goettl, product manager at Shavlik. “This could mean it may still come this month, but not today. These two patches were likely an OS and the Exchange patch based on the advanced notification list,” That is at least one less major product admins will need to be concerned about this Patch Tuesday, although the date to be determined could come at any time.”

As I’ve noted in previous posts, the few times I’ve experienced troubles after applying Microsoft updates have almost all included a fix for Microsoft’s widely-installed .NET platform. If you have .NET installed, it’s probably a good idea to install this one separately after applying the other updates and rebooting.

Adobe’s update addresses a whopping 18 security holes in Flash Player and Adobe AIR. Updates are available for Windows, Mac and Linux versions of Flash. Adobe says Adobe Flash Player users should update the program to the version 15.0.0.223. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.356 for Windows, Mac, and Android.

As if the credit card breach at Home Depot didn’t already look enough like the Target breach: Home Depot said yesterday that the hackers who stole 56 million customer credit and debit card accounts also made off with 53 million customer email addresses.

In an update (PDF) released to its site on Thursday, Home Depot warned customers about the potential for thieves to use the email addresses in phishing attacks (think a Home Depot “survey” that offers a gift card for the first 10,000 people who open the booby-trapped attachment, for example). Home Depot stressed that the files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information.

Home Depot said the crooks initially broke in using credentials stolen from a third-party vendor. The company said thieves used the vendor’s user name and password to enter the perimeter of Home Depot’s network, but that these stolen credentials alone did not provide direct access to the company’s point-of-sale devices. For that, they had to turn to a vulnerability in Microsoft Windows that was patched only after the breach occurred, according to a story in Thursday’s Wall Street Journal.

Recall that the Target breach also started with a hacked vendor — a heating and air conditioning company in Pennsylvania that was relieved of remote-access credentials after someone inside the company opened a virus-laden email attachment. Target also came out in the days after the breach became public and revealed that the attackers had stolen more than 70 million customer email addresses.

Home Depot also confirmed that thieves targeted its self-checkout systems, a pattern first reported on this blog on Sept. 18. The Wall Street Journal reported that the intruders targeted the 7,500 self-checkout lanes at Home Depot because those terminals were clearly referenced by the company’s internal computer system as payment terminals, whereas another 70,000 regular registers were identified simply by a number.

News of the Home Depot breach broke on this blog on Sept. 2, after multiple banks confirmed that tens of thousands of their cards had just shown up for sale on the underground cybercrime shop rescator[dot]cc. That same carding shop was also the tip-off for the breach at Target, which came only after Rescator and his band of thieves pushed millions of cards stolen from Target shoppers onto the black market.

Federal prosecutors in New York today announced the arrest and charging of a San Francisco man they say ran the online drug bazaar and black market known as Silk Road 2.0. In conjunction with the arrest, U.S. and European authorities have jointly seized control over the servers that hosted Silk Road 2.0 marketplace.

On Wednesday, agents with the FBI and the Department of Homeland Security arrested 26-year-old Blake Benthall, a.k.a. “Defcon,” in San Francisco, charging him with drug trafficking, conspiracy to commit computer hacking, and money laundering, among other alleged crimes.

Benthall’s LinkedIn profile says he is a native of Houston, Texas and was a programmer and “construction worker” at Codespike, a company he apparently founded using another company, Benthall Group, Inc. Benthall’s LinkedIn and Facebook profiles both state that he was a software engineer at Space Exploration Technologies Corp. (SpaceX), although this could not be immediately confirmed. Benthall describes himself on Twitter as a “rocket scientist” and a “bitcoin dreamer.”

Benthall’s arrest comes approximately a year after the launch of Silk Road 2.0, which came online less than a month after federal agents shut down the original Silk Road community and arrested its alleged proprietor — Ross William Ulbricht, a/k/a “Dread Pirate Roberts.” Ulbricht is currently fighting similar charges, and made a final pre-trial appearance in a New York court earlier this week.

According to federal prosecutors, since about December 2013, Benthall has secretly owned and operated Silk Road 2.0, which the government describes as “one of the most extensive, sophisticated, and widely used criminal marketplaces on the Internet today.” Like its predecessor, Silk Road 2.0 operated on the “Tor” network, a special network of computers on the Internet, distributed around the world, designed to conceal the true IP addresses of the computers on the network and thereby the identities of the network’s users.

“Since its launch in November 2013, Silk Road 2.0 has been used by thousands of drug dealers and other unlawful vendors to distribute hundreds of kilograms of illegal drugs and other illicit goods and services to buyers throughout the world, as well as to launder millions of dollars generated by these unlawful transactions,”reads a statement released today by Preet Bharara, the United States Attorney for the Southern District of New York. “As of September 2014, Silk Road 2.0 was generating sales of at least approximately $8 million per month and had approximately 150,000 active users.”

The complaint against Benthall claims that by October 17, 2014, Silk Road 2.0 had over 13,000 listings for controlled substances, including, among others, 1,783 listings for “Psychedelics,” 1,697 listings for “Ecstasy,” 1,707 listings for “Cannabis,” and 379 listings for “Opioids.” Apart from the drugs, Silk Road 2.0 also openly advertised fraudulent identification documents and computer-hacking tools and services. The government alleges that in October 2014, the Silk Road 2.0 was generating at least approximately $8 million in monthly sales and at least $400,000 in monthly commissions.

The complaint describes how federal agents infiltrated Silk Road 2.0 from the very start, after an undercover agent working for Homeland Security investigators managed to infiltrate the support staff involved in the administration of the Silk Road 2.0 website.

“On or about October 7, 2013, the HSI-UC [the Homeland Security Investigations undercover agent] was invited to join a newly created discussion forum on the Tor network, concerning the potential creation of a replacement for the Silk Road 1.0 website,” the complaint recounts. “The next day, on or about October 8, 2013, the persons operating the forum gave the HSI‐UC moderator privileges, enabling the HSI‐UC to access areas of the forum available only to forum staff. The forum would later become the discussion forum associated with the Silk Road 2.0 website.”

The complaint also explains how the feds located and copied data from the Silk Road 2.0 servers. “In May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time. On or about May 30, 2014, law enforcement personnel from that country imaged the Silk Road 2.0 Server and conducted a forensic analysis of it. Based on posts made to the SR2 Forum, complaining of service outages at the time the imaging was conducted, I know that once the Silk Road 2.0 server was taken offline for imaging, the Silk Road 2.0 website went offline as well, thus confirming that the server was used to host the Silk Road 2.0 website.”

The government’s documents detail how Benthall allegedly hatched a selfless plan to help the Silk Road 2.0 community recover from an incident in February 2014, wherein thieves stole millions of dollars worth of Bitcoins from community users.

“On or about September 11, 2014, Defcon had an online conversation with the HSI-UC, in which he discussed, in sum and substance, his intention to reopen the Silk Road 2.0 marketplace, and his plan to recoup the deficit of Bitcoins that had been stolen from Silk Road 2.0. Specifically, Defcon confirmed that the site needed to recoup approximately 2,900 Bitcoins to cover the loss, and stated that he intended to donate approximately 1,000 of his own Bitcoins to return liquidity to Silk Road 2.0 (“I’m planning to throw my 1000 BTC to kickstart the thing.”).”

“Defcon further acknowledged that the site had approximately 150,000 monthly active users (“We have 150,000 monthly active users. That’s why we have to save this thing.”). The HSI‐UC asked how long it would take to recover from the theft, and Defcon replied that it would take approximately three months’ worth of commission payments, if sales on Silk Road 2.0 continued at a steady rate (“Three months if sales continue at current pace and we don’t bottom out”). Thus, Defcon appears to have expected Silk Road 2.0 to generate approximately $6 million in monthly sales over the next three months, which would have resulted in commissions over that three‐month period totaling approximately $900,000 ‐ equal to approximately 1,900 Bitcoins at the then prevailing exchange rate.“

Benthall’s biggest mistake may have been using his own personal email to register the servers used for the Silk Road 2.0 marketplace. In the complaint against Benthall, an undercover agent who worked the case said that “based on a review of records provided by the service provider for the Silk Road 2.0 Server, I have discovered that the server was controlled and maintained during the relevant time by an individual using the email account blake@benthall.net.”

“To me, it appears that both the human element, an undercover agent, plus technical attacks in discovering the hidden service, both played a key part in this arrest,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

Federal agents also say they tracked Benthall administering the Silk Road 2.0 from his own computer, and using Bitcoin exchanges to make large cash withdrawals. In one instance, he allegedly cashed out $270,000, and used $70,000 for a down payment on a Tesla Model S, a luxury electric car worth approximately USD $127,000.

Benthall faces a raft of serious charges that could send him to federal prison for life. He is facing one count of conspiring to commit narcotics trafficking, which carries a maximum sentence of life in prison and a mandatory minimum sentence of 10 years in prison; one count of conspiring to commit computer hacking, which carries a maximum sentence of five years in prison; one count of conspiring to traffic in fraudulent identification documents, which carries a maximum sentence of 15 years in prison; and one count of money laundering conspiracy, which carries a maximum sentence of 20 years in prison.

A copy of the complaint against Benthall is available here.

Update, Nov 7, 9:01 a.m. ET: The National Crime Agency in the United Kingdom is reporting that the demise of Silk Road 2.0 was part of a much larger operation targeting more than 400 “dark web” sites. From their press release:

“The six people arrested on suspicion of being concerned in the supply of controlled drugs were a 20-year-old man from Liverpool city centre, a 19-year-old man from New Waltham, Lincolnshire; a 30-year-old man from Cleethorpes; a 29-year-old man from Aberdovey, Wales; a 58-year-old man from Aberdovey, Wales; and a 58-year-old woman from Aberdovey, Wales. All six were interviewed and have been bailed pending further enquiries.” Read more here.