LACNIC says the IP range was transferred to AFRINIC. They then say that it is owned by:
Affiliated Computing Services (Pty) Ltd
descr: P. O. Box 261333
descr: Excom 2023
country: ZA
But then further note that ownership is in dispute! We need someone to look it up in the current routing tables to see where it's presently being routed to.
Far from an expert,but https://www.dan.me.uk/bgplookup lists it as owned by AS202769, which is apparently "Cooperative Investments LLC"
Scamalytics[1] states that much of their address space is VPNs, so the trail may go cold here.
I wouldn't go so far as useless, but they frequently exhibit significant inaccuracy, no matter which vendor/service you use. It's not unusual for me to query 7 APIs and be told the user is in 7 different cities spanning 5 states. At least there's usually a quorum at the country level. Given the market ($$$) for IPv4, this feels like it's only getting worse as more blocks of IPs are being sold, leased, transferred, even between continents/RIRs and the geo providers are always a few steps behind.
For the IP posted above, I have 3 providers claiming it's in Sao Paulo, 3 who says it's in Joburg (this is as accurate as anyone's going to get right now) and one says it's in Chicago! If I'm trying to do something with these results programmatically, I don't have a majority or a plurality to pick as a "winner" and I have to try weighting specific providers, which is a whole new mess.
Anyway, there's a good idea brewing in RFC8805 but it'd require pretty much every AS to play along.
I've routinely seen edge cases where geo IP databases are just wrong, even from providers like Google and others.
My home would routinely show up as from a country a thousand miles away. Friends down the street would show up several states over. Customers I know which were a state over would appear from a different country. The databases are usually right, but they're still often wrong. Often enough to cause frustrations.
Why ignore VPNs? Im sure someone else can chime in but to my knowledge that's what makes them useless. You can't be sure someone isn't running VPN, then you can never be certain GeoIP is correct, thus it's useless.
Because everyone knows that VPN IPs’ geoloc is useless, so I assumed that those were being ignored. Also because it’s possible to see if an IP is (possibly) a VPN one by looking up the owner.
As with most things IP-related, this is only somewhat true. There are a lot of VPN providers that specialize in not getting their exit IPs marked as VPNs, so just because an IP isn't listed as a VPN by your intel provider of choice doesn't mean it's not a VPN. GDPR also means finding netblocks with super generic IP-whois is really easy.
Geo-ip is a perfect analysis trap, because it seems like it's probably a good idea so people put it into the roadmap. Then they spend forever tracking down all the ways it doesn't work (I bet you have customers in whatever geo you're thinking of blocking, there's a surprising amount of netblocks that are attributed incorrectly, etc), and then the sunk cost fallacy leads them to maintaining their creaky system. Imagine what you could have done with that effort in the meantime.
Now, let's put our badguy hat on. It takes effectively zero time to tell if your target is geo-blocking (compare your port results between several geos, or cheat with censys and shodan). Being blocked? Launch your attack from IP space in another geo. Pro-tip on that: nobody blacklists cloud provider IP space because of VDI solutions. You can migrate between stolen cloud accounts faster than the provider can suspend them, especially for reconnaissance and initial payload delivery.
Edit: see also, renting time on botnets, renting physical colo, compromising residential ISP equipment, and friends.
Hmm. So I don't know if this means anything, but I was googling for the IP address and wound up at https://ipinfo.io/160.116.88.235 which says hostname: visit.keznews.com. When you go to that hostname, it's one of the best phishing sites I've ever seen. They dynamically inserted my ISP's logo (Spectrum) and tried to do a phishing attempt:
Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).
I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:
Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ¯\_(ツ)_/¯
That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!
The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.
Is it possible that I was phished 4 years ago, and they sat on the password? Sure.
But 2 other people in this thread being phished from the same exact same phishing server/group?
Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?
You don't necessarily know they sat on it. You only just got a notification of the failed login now.
That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.
Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.
If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.
It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.
I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.
One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:
Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.
I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.
So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.
I've been trying to ask this to people posting reports, and although there are many "older" accounts (like mine, circa 2017 or older), at least 2 reports are from accounts created this year:
Hmm. Tabist, Twitch Now, EditThisCookie, TooManyTabs, ublock, adblock, tampermonkey, disable Reddit CSS, FreshStart, Notion, Netflix auto-skip, gist from website, Auto Kill Sticky... and a couple I don’t recognize. I’ll post a full list when I’m back at a laptop.
That’s not a phishing site. That’s standard zero-click /smartlink monetization. It’s a lot to explain and I’m on mobile but it isn’t anything to do with phishing.
But, it certainly wasn't from Spectrum (my ISP), but they designed the page to make it look like it was.
I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.
the site is an advertising redirect and these same attackers (or at least users of the same IP ranges) use leaked credentials to login to Microsoft/Outlook accounts using SMTP
Time Monday, December 27, 2021 at 1:41 PM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.88.235