IP Reputation and the Nationwide Bomb Threat Hoax
The bomb threat hoax from Thursday, December 13, 2018 was easily detectable as fraud.
There were several smoking guns that could have quickly identified the bomb threats as bogus. The leading indicator of fraud was the IP block from which the emails were sent. Emails associated with this bomb threat hoax were sent from the 194.58.x.x address range. This address range is well known in Internet security circles as malicious. IP reputation databases show this range was identified as fraudulent as early as March of 2015. Internet traffic originating from this range was commonly known to place fraudulent orders on e-commerce sites. This IP range was also seen often in fake reviews, instances of click fraud, and hacking attempts.
Further investigation of the 194.58.x.x address block shows with near perfect certainty the range was a manually banned, well-known public proxy. Said another way, this IP range was known to be among the worst of the worst, and clearly its originating messages should have been ignored.
Internet security professionals need to use IP reputation services to determine if an IP address is a proxy or VPN. Lookup tables with this information have existed for years. IP reputation services use machine learning and probability theory to infer a trust score on IP addresses. IP addresses with poor trust scores are behaving badly in an automated manner. Online merchants and video streaming services already utilize advanced mathematical and modern data science to identify malicious Internet addresses, and e-mail providers should too.
In the Internet of Things (IoT), with 11 billion smart devices connected, we can’t allow hospitals, schools, and emergency services to be distracted because of a dozen rogue devices like this. In life reputation matters, but on Thursday we let a few well-known bogus devices in Russia cause panic and fear.
We can do better — the data already exists.