SUPPORT INTELLIGENCE  •  FIGHT THE ABUSE   LOG IN   |  SIGN UP   |  CONTACT US   
Support Intelligence
ServicesTechnologyBlogAbout usSign Up

Monday, April 30, 2007

Company Profile: Nationwide Insurance






We have been watching the Nationwide Insurance Network for a few months now, and have been impressed with the spam/ham ratio. Its spammyness is something like 100:1 in spam to ham. We have collected some 1,857 SPAM from 6 IP addresses on Nationwide's Network. The breakdown of spam and the hosts that sent it out are listed below:














The kinds of spam we received from Nationwide included Pharmacy spam advocating various Erectile Dysfunctions drugs, Rolex watches, graphic pornography, mortgage loans, weight loss and stock pump-n-dump. While writing this blog post we received 10 more stock pump-n-dumps touting stock ticker EKII which is down 9% as of Monday evening. Senderbase.com lists 155.188.254.1 as having a 10% increase in daily activity and notes that the host is blacklisted by SORBS.

The main question is if any of Nationwide's consumer data was compromised. We believe that 155.188.254.1 is an outbound NAT and that the 1,342 SPAM emitted from that IP address represent some set of internal machines that are compromised. The way that the headers were forged leads us to believe that there were several machines behind the suspected NAT.

Most malware does some form of key logging or post logging. Could an infection of this size compromise the integrity of their consumer data? Remember that in the TJX Data Breach researchers still don't understand how they got in, how they unencryped the data and the company is currently facing litigation in excess of over 1.6 Billion. CISOs need to understand that todays malware easily captures data before it gets encrypted and moves it off corporate networks without setting off an IDS. A good hint -- if your company is sending out spam you probably have a good botnet infection.

When we finally do get an IT security manager on the phone the first question they ask is if any of these spam have been forged. We answer this question as follows:
  • We track all BGP announcements since Jan 2005. We monitor the BGP at several locations including our trap locations.
  • We match up any bogons or route hijackings with the TCP connect data our spamtraps collect.
  • AS26578 [ NATIONWIDEASN2 - Nationwide Services, Inc ] which is responsible for routing the addresses in question has not had a routing hijack during our period of analysis.

    Furthermore, based on observations, had one of these blocks been hijacked the block would have had to be hijacked for a continuous period of several months. Such a routing hijack would have also been noticed as it would have effected outbound corporate e-mail delivery.
From the points above we conclude that the Nationwide Insurance network blocks were not hijacked in any way; and that several machines internal to their network have been compromised to send SPAM to the greater population of Internet users.

Not every Fortune 500 company we analyze are in as bad of shape as Nationwide Insurance. For example, we haven't received a single SPAM from Geiko Insurance during the same period. Next week we will let you know if Nationwide has brought their systems under control and if they have mitigated their problems.

We're of course ready to share information with Nationwide to help track the problem down and get it stopped.


OrgName: Nationwide Mutual Insurance Company
OrgID: NMI-20
Address: One Nationwide Plaza
City: Columbus
StateProv: OH
PostalCode: 43215
Country: US

NetRange: 155.188.0.0 - 155.188.255.255
CIDR: 155.188.0.0/16
NetName: NATE
NetHandle: NET-155-188-0-0-1
Parent: NET-155-0-0-0-0
NetType: Direct Assignment
NameServer: NNS1.NATIONWIDE.COM
NameServer: NNS2.NATIONWIDE.COM
Comment:
RegDate: 1991-11-21
Updated: 2006-08-03

OrgTechHandle: CLW-ARIN
OrgTechName: West, Cher L.
OrgTechPhone: +1-614-249-8631
OrgTechEmail: westc1@nationwide.com

------- ASN Deligation ------
OrgName: Nationwide Services, Inc
OrgID: NATION-354
Address: ONE NATIONWIDE PLAZA
Address: M.S. 1-05-31
City: COLUMBUS
StateProv: OH
PostalCode: 43215
Country: US

ASNumber: 26578
ASName: NATIONWIDEASN2
ASHandle: AS26578
Comment:
RegDate: 2002-10-21
Updated: 2002-10-21

RTechHandle: CLW-ARIN
RTechName: West, Cher L.
RTechPhone: +1-614-249-8631
RTechEmail: westc1@nationwide.com


Spread the word:  del.icio.us Bookmark it!    submit If You Can't Measure It, You Can't Manage It to digg.com Digg it!    Technorati Related



 

 

Sign Up  |   About Us   |   Terms of Use  |   Privacy  |   Contact

© Copyright 2006 Support Intelligence, LLC • All rights reserved