We have been watching the Nationwide Insurance Network for a few months now, and have been impressed with the spam/ham ratio. Its spammyness is something like 100:1 in spam to ham. We have collected some 1,857 SPAM from 6 IP addresses on Nationwide's Network. The breakdown of spam and the hosts that sent it out are listed below:
The kinds of spam we received from Nationwide included Pharmacy spam advocating various Erectile Dysfunctions drugs, Rolex watches, graphic pornography, mortgage loans, weight loss and stock pump-n-dump. While writing this blog post we received 10 more stock pump-n-dumps touting stock ticker EKII which is down 9% as of Monday evening. Senderbase.com lists 126.96.36.199 as having a 10% increase in daily activity and notes that the host is blacklisted by SORBS.
The main question is if any of Nationwide's consumer data was compromised. We believe that 188.8.131.52 is an outbound NAT and that the 1,342 SPAM emitted from that IP address represent some set of internal machines that are compromised. The way that the headers were forged leads us to believe that there were several machines behind the suspected NAT.
Most malware does some form of key logging or post logging. Could an infection of this size compromise the integrity of their consumer data? Remember that in the TJX Data Breach researchers still don't understand how they got in, how they unencryped the data and the company is currently facing litigation in excess of over 1.6 Billion. CISOs need to understand that todays malware easily captures data before it gets encrypted and moves it off corporate networks without setting off an IDS. A good hint -- if your company is sending out spam you probably have a good botnet infection.
When we finally do get an IT security manager on the phone the first question they ask is if any of these spam have been forged. We answer this question as follows:
- We track all BGP announcements since Jan 2005. We monitor the BGP at several locations including our trap locations.
- We match up any bogons or route hijackings with the TCP connect data our spamtraps collect.
- AS26578 [ NATIONWIDEASN2 - Nationwide Services, Inc ] which is responsible for routing the addresses in question has not had a routing hijack during our period of analysis.
Furthermore, based on observations, had one of these blocks been hijacked the block would have had to be hijacked for a continuous period of several months. Such a routing hijack would have also been noticed as it would have effected outbound corporate e-mail delivery.
Not every Fortune 500 company we analyze are in as bad of shape as Nationwide Insurance. For example, we haven't received a single SPAM from Geiko Insurance during the same period. Next week we will let you know if Nationwide has brought their systems under control and if they have mitigated their problems.
We're of course ready to share information with Nationwide to help track the problem down and get it stopped.
OrgName: Nationwide Mutual Insurance Company
Address: One Nationwide Plaza
NetRange: 184.108.40.206 - 220.127.116.11
NetType: Direct Assignment
OrgTechName: West, Cher L.
------- ASN Deligation ------
OrgName: Nationwide Services, Inc
Address: ONE NATIONWIDE PLAZA
Address: M.S. 1-05-31
RTechName: West, Cher L.