Warning! Targeted Internet misdirection on the rise

Traffic from financial firms, government agencies, VoIP providers quietly hijacked and rerouted through ISPs in Belarus, Iceland, researcher says

Unknown attackers have successfully hijacked and redirected Internet traffic belonging to financial services companies, VoIP providers and governments many times over the past year.

Internet monitoring firm Renesys says it's observed such hijacked traffic during at least 60 days in 2013.

A total of about 1,500 individual IP blocks from 150 cities around the world have been intercepted, inspected and possibly compromised in incidents lasting from a few minutes to several days, the company said today.

Throughout February, for instance, online traffic at numerous financial services companies, network service providers and government agencies in the U.S. South Korea, Germany, the Czech Republic, Iran and other countries was redirected to an Internet Service Provider in Belarus.

Similarly, in May and again in July, Internet traffic from a large U.S. providers of managed network services was hijacked and routed through IP addresses owned by an Icelandic ISP.

In these and other cases, the intercepts were enabled through so-called " Man-in-the-Middle" attacks, when traffic flowing between two points is briefly rerouted to another location and then released back its original path. Such redirections allow attackers to surreptitiously inspect and modify traffic.

If the hijacked traffic is rerouted to a point close to the original destination, the entire caper can be carried with no noticeable lag in traffic time.

The attacks show in practical terms that Border Gateway Protocol (BGP) hijacking in not theoretical, it poses real problems, said Doug Madory, an analyst at Renesys.

BGP routers, which direct traffic between autonomous systems on the Internet, can be accessed by hackers to spoof the IP address of another entity to misdirect traffic there, Madory said. It's difficult to determine that the activity is criminal because such misdirection often occurs due to human error -- such as transposing the digits in an Internet address space. In most cases, such inadvertent misdirection is quickly caught and remedied.

Madory said it's likely the misdirection to the Iceland and Belarus ISPs found by Renesys earlier this year was deliberate. It is likely that people with access to BGP routers at these ISPs created the spurious routes unbeknownst to the ISPs or the victims, he added.

The attackers appear to have found a way to redirect only small portions of traffic bound for a specific destination to avoid being detected, Madory said.

"What's novel here is making just a small percent of the Internet believe the bogus route so they have a way to get traffic to that destination," without notice, Madory said. "If you announced the address space of somebody else and everyone else believed it, then all traffic (for the destination) will be routed to you."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityinternetRenesys

More about GatewayTopicTwitterVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place