How Internet addresses are stolen in new scam

The African Network Information Centre (AFRINIC), the continent’s Internet address registry, is investigating theft and leasing of large swathes of Internet Protocol (IP) addresses from its system, including through companies registered in Uganda.

IP addresses are used throughout the world by all Internet users. There are five non-profit bodies charged to manage allocation of blocks of IP addresses to commercial companies, governments, academic institutions, Internet Service providers (ISPs), and other end users for each of the five continents.

Each of these five bodies; AFRINIC (Africa) whose headquarters are in the island nation of Mauritius, off the East African coast, LACNIC (for Latin & South America), ARIN (for North America), RIPE (for Europe), and APNIC for (Asia/Pacific), manage IP address allocations only for its specific assigned geographic region.

An Internet Protocol or IP address is a unique identifying number with which to communicate for each device that connects to the Internet.

For example when you try to log onto “www.monitor.co.ug,” your browser first has to translate that symbolic domain/website name into an IP address.

To access any website from your device—computer, tablet or phone, you need to have an IP address from your Internet service provider (ISP).

The ISP, in turn, obtain their stocks of IP addresses from one of the five regional internet registries aforementioned.

The world’s five Internet registries have run out of the valuable Internet Protocol version (four) address blocks, or simply IPv4 to give to organisations to use, and as a result, blocks of consecutive IPv4 addresses have become exceptionally valuable in recent years, with even modest sized blocks fetching as much as $1m (Shs3.6b) in the now regular trade.

At these prices, in recent years IP address blocks have also caught the attention of black-marketers.

The revelation of theft and unscrupulous leasing of African IP addresses was first laid bare by a California-based Internet investigator Ron Guilmette, after five months of systematically digging up various records.

Armed with evidence, he presented the findings to AFRINIC but was first ignored until an internal forensic investigation was launched a few months ago. Daily Monitor collaborated with Mr Guilmette and South African technology website, My Broadband, on this story.

In an email response to our inquiries, the AFRINIC chief executive officer, Mr Eddy Kayihura, reinforced that they initiated an independent investigation once the allegations and issues came to light.

“The investigation is still ongoing and owing to the complexity of the issue, it would not be proper for us to either directly or indirectly comment on the said allegations.”

Mr Guilmette stumbled upon the scam which, going by available evidence, he said “strongly suggests was an inside job” in AFRINIC while investigating the misappropriation of African IP address blocks.

Beginning in 2016, Mr Guilmette said he began to notice that a substantial number of AFRINIC-managed IP address blocks appeared being used by various parties to which they were not actually or formally registered.

He mentioned this on some email mailing lists that are frequented by high-level Internet network administrators from around the world, but at the time, no one thought much about it.

Guilmette again noticed same unexplained peculiarities in 2017 in relation to AFRINIC-managed IP address blocks. He again reported his early findings and suspicions on the same mailing lists inhabited by Internet network administrators. Again, nothing came of it at the time.

In mid-2019, however, Mr Guilmette said he once again could tell that something was going wrong with quite a lot of AFRINIC-managed IP address blocks, but this time he decided to launch an investigation.

Several months into the investigation, Mr Guilmette said his findings began to point to, among other individuals, Mr Ernest Byaruhanga, a Ugandan born employee of AFRINIC, as policy coordinator, since 2004 when the body was established.

Mr Byaruhanga resigned his position on October 24, a day after Mr Guilmette had confronted him via email with records linking him to the dodgy creaming off of the lucrative IPv4 addresses.

Mr Kayihura confirmed Mr Byaruhanga’s exit but was non-committal on discussing more details.

Daily Monitor has, however, seen a limited distribution email message which was sent only to the dues-paying member ISPs of AFRINIC indicating that Mr Byaruhanga was “suspended.”

The complex scheme
On September 9, 2013, at 10:35:32am, a domain name, ipv4leasing.org, was registered by one Ernest Byaruhanga.

The term ‘domain name’ is used to denote any one of the billions of symbolic names that are used to access all manner of features and functions on the Internet.

For example, “www.monitor.co.ug” is the domain name used to access the Daily Monitor’s website. When you are sending an email to anyone say via Gmail, you send using the “gmail.com” domain name.

Very near the time when the domain name ipv4leasing.org was registered, back in September 2013, and in fact a mere few seconds later, at 10:35:46am another domain, ipv4leasing.net, was registered but had its registration details concealed.

However going by its web content, it deals in sale and leasing of valuable IPv4 addresses.
Historical registration records show that the Ipv4leasing.org domain name was registered on September 13, 2013 by and to Mr Byaruhanga.

The domain name ipv4leasing.net was registered in exactly the same minute and the same day way back in 2013, “it seems to be a dead certainty that the Ipv4leasing.net domain also was registered by and to Mr Byaruhanga,” Mr Guilmette stated.

“This is important because the web site of Ipv4leasing.net is clearly attempting to sell and/or lease valuable IP address blocks, and is not immediately clear what the source of those blocks might be.”

Daily Monitor has seen documents linking Mr Byaruhanga to companies, registered in his name, operating IP brokerage while he was still an employee of AFRINIC.

Mr Kayihura said neither AFRINIC staff members nor its directors are allowed to operate IP brokerages.

“This is against our policies, principles of ethics and standards. Hence, AFRINIC will not hesitate to take such action(s) as it may deem fit against any of its staff or director who are found to have breached those standards,” he said.

Attempts for several weeks to talk to Mr Byaruhanga were futile. The telephone contacts listed on the registration documents for companies in his name were picked by people who said they had never heard of him, while our emails were not answered.

We eventually attempted to contact him through the Internet Society of Uganda Chapter, part of the global body bringing together individuals and organisation members bound to maintain Internet viability, where Mr Byaruhanga is a board member, but we were told that he had said he “was unavailable.”

“This side business of his is unambiguously a direct conflict of interest with his official duties there, and it raises the obviously question of how he came to have IPv4 addresses to sell and/or lease via this side business of his,” Mr Guilmette said.

Besides the domain, ipvleasing.org, Uganda Registration Services Bureau (URSB) records show a company, IPV4 Leasing, was registered later in April 2015 under Ernest Byaruhanga’s name.

According to Mr Guilmette, the ownership of the Ugandan company named IPv4 Leasing’ provides additional evidence suggesting connection of several blocks of IP addresses to a company under Mr Byaruhanga’s control.

Mr Guilmette also said the domain, ipv4leasing.net is also mentioned several times in the various official AFRINIC registration records associated with the IP address blocks that appear to have been stolen.

One of the IP blocks was 213.247.0.0/24, which belonged to a company called “Finance Trust Bank”.
It was a sub-allocation of a larger block (213.247.0.0/19) that belonged to an entity called Link Data Group.

“Link Data Group” is also connected to CGHB in the form of an e-mail address — [email protected]. This is the same CGHB entity in the AFRINIC official records that had Mr Byaruhanga’s name attached to it, in the official AFRINIC registration records, as an administrative contact person at various times during 2012 and 2013.”

The AFRINIC registration information for the 213.247.0.0/24 block contained the following line: “changed: [email protected].”

The “ipv4leasing.net” domain came up in the AFRINIC registration of the following IP address blocks of various companies; Dishnet Africa Ltd (South Sudan), AFRIKANET ONLINE SARL, and TruIT Internet Services (Kampala, Uganda).

In addition to Link Data Group, there is another company in the official AFRINIC registration records where the “ipv4leasing.net” domain appears – ITC Digital.

A portion of one of ITC’s several assigned IP address blocks was later sold to another, Mauritian/South African company TotalSend, the deal brokered through a company called SMSPLUS registered in Kampala.

Historical AFRINIC registration records show that the company that is currently calling itself ‘ITC’ in the official records, was originally an entirely different and unrelated (and nowadays long-defunct) African ISP company named AfriQ*Access, Inc.

This company was briefly based in Cameroon in 2009. (This Cameroon ISP company apparently failed and went out of business at least 10 years or more ago, according to Mr Guilmette’s research).

The relevant AFRINIC records appear to indicate that after its demise as a going concern, the very corporate identity of AfriQ*Access, Inc. was stolen and the thief or thieves of this corporate identity then changed the relevant AFRINIC registration records to try to make it appear that the company had been named ‘ITC’ all along.

“In effect, this looks like a case of corporate identity theft,” Mr Guilmette observed.

More evidence from the historical AFRINIC records supports this view. Just as the name of AfriQ*Access, Inc. was being fraudulently mutated into ‘ITC’, the company’s mailing address was also fraudulently changed from its initial (and valid) address in Conakry, Guinea, first to an address in the Lynnwood Ridge section of Pretoria, South Africa, and then later on to a particular office number in Amber House building in Kampala.

Daily Monitor tried to follow up on this latter lead, but was unable to establish any absolute or clear connection to the overall IP address scam by press time.

In September 2012 records, seen by this newspaper, show a person with the name “Inno” wrote via [email protected] to an executive of TotalSend, a South African online marketing company, about possibility of supplying IP addresses.

“We can sell or lease to you a block of public IP addresses for use immediately. Please let us know how much you need and your budget and we shall proceed,” Inno wrote.

After back and forth exchanges, Inno changed the sending address from [email protected] to [email protected] and also indicated that he was now based in Kampala. Inno, in the subsequent correspondences, detailed $2,500 (Shs9.1m) as the one off price for the sought IP address.

When asked for his surname, “Inno’’ replied he was “Inno Byaruhanga.” “Inno Byaruhanga” provided his bank details to TotalSend in order to complete the sales transaction, the account in the names of Amiek Holdings Ltd in Stanbic Bank, and payment was effected by Totalsend and the deal closed, but not without glitches. For example in early October 2012, it emerged that the first IP address that Inno attempted to sell had been assigned to a customer in the US before proposing a swap deal.

The URSB records in Kampala show that Amiek Holdings Ltd was registered in December 2009 to two shareholders; Ernest Byaruhanga and Annette Nankanja Byaruhanga, presumably a couple. Other listed directors were minors, all with the surname “Byaruhanga.”

Also listed on records as the company secretary is one Mr Andrew Kabombo, a lawyer and managing partner at one of the top law firms in Kampala. Mr Kabombo declined to comment on the matter.
TotalSend’s executives acknowledged acquiring IP addresses from a trader identifying themselves as “Inno” but added that they did not suspect false identities.

The company, TotalSend, incorporated in Mauritius and has offices in South Africa explained that in 2012, they wanted to expand business and inquired about getting its own block of IP addresses from AFRINIC, but at that time Totalsend’s infrastructure was hosted in UK.

“The problem the business faced at that point was that it was registered in Mauritius which falls under AFRINIC, but it had no real presence or servers based in Africa,” TotalSend general manager Duncan Land told MyBroadband.

“The business at the time was only a couple of people (based in South Africa), and needed IPs urgently to meet expansion,” he said.

“Getting these [IP addresses] from ISPs was not scalable,” said Land. “They hate hosting e-mail providers as abuse complaints come with the territory.”

“That’s when Inno popped on to the scene and offered to sell us a range, and his approach and ownership of the IPs checked out at face value. We proceeded and everything went smoothly, so we had no reason to doubt any legitimacy,” said Land.

Involvements
Historical registration records for the smsplus.ug domain, archived by DomainTools.Com, a provider for WHOIS and profile data for threat intelligence, shows that on November 10, 2012 the smsplus.ug domain name was registered to a corporate entity, Mobile Ideas Ltd, with Mr Kabombo as the contact person.

According to the official URSB company registration for SMSPlus, a one Albert Byaruhanga is listed as the managing director.

Mr [Ernest] Byaruhanga is also linked to another block of IP addresses that changed identity in mysterious ways.

He was the designated administrative contact for the Cape of Good Hope Bank (CGHB) IP address block in the official AFRINIC registrations database at various times during 2012 and 2013.”

According to Mybroadband, even more curious is the fact that Nedbank acquired Cape of Good Hope Bank in 2003 which raises questions why long-defunct company—CGHB—was awarded new IP address space on 18 July 2014, more than ten years after the company had been acquired by another bank.

“This seems to be yet another case of corporate identity theft,” Mr Guilmette cautions.