Trying to understand IP addresses and a hacker

[jessjot]

I met someone on Facebook who was a computer nerd, very secretive and paranoid.     They hid their friend list, work occupation, everything.
We talked awhile and later that night, I noticed an active session showing someone had hacked into my Facebook account from out of town.
It matched generally the area they said they were from.

Some time later, a friend of mine talked to this same person, and they, too were hacked by someone with the same IP address.   The location was the same- Bolingbrook, Illinois.
Some time after that another person I know, also was hacked by a very similar IP- the first 3 octets the same, but a different 4th octet.
Finally.... some weeks later my AOL mail was hacked.  A remote login session, from a similar IP address.   Again, the first 3 numbers the same, 4th different, but all showing from Bolingbrook, Illinois.
In all these instances they stayed connected- an active, open session.   They didn't just hack in, and leave.

Now, due to circumstances I won't get into...... I know for an absolute fact that this person actually hacked the 3 Facebook accounts.    I strongly suspect they also hacked the AOL account.
My thinking was the hacker has a dynamic IP address- so this would explain why the first 3 numbers are always identical, and the 4th varies.
But here's where my confusion comes in.

When I go to ABUSEIDP.com, and look up the addresses the hacking is coming from, I see 8 or 9 other people who have reported the same IPs.
Okay, so this person is doing a lot of hacking.

But then I thought I'd check something.
I started going down the list changing the 4th octet, and looking up the same "network" (keeping first 3 numbers the same).   
Its getting kind of unreal, considering the 4th octet goes up to 254 (I don't have all night, but I get the picture of what I'm going to see)
Could this all be one person, doing all this hacking?
Even if there's say 5 hacking instances per dynamic IP, then this person would have hacked over 1200 sites. 
And that would be only the hacks that were caught, AND reported to this website!
Is this '107.77.173.x' a legitimate network/location, like a single person's computer, is it a network of hackers...... or what exactly is this?


107.77.173.1    (3 people reported being hacked)
107.77.173.2    (10 reports....)
107.77.173.3    (5)
107.77.173.4    (12)
107.77.173.5    (6)
107.77.173.6    (4)
107.77.173.7    (5)
107.77.173.8    (2)
107.77.173.9    (9)
107.77.173.10   (14)
107.77.173.11   ( 8 )
107.77.173.12   (10)
107.77.173.13   (2)
107.77.173.14   (3)
107.77.173.15   (1)
107.77.173.16   (2)
107.77.173.17   (1)
107.77.173.18   (2)
107.77.173.19   (0)
107.77.173.20   (6)
107.77.173.21   (3)
107.77.173.22   (2)
107.77.173.23   (5)
107.77.173.24   (4)
107.77.173.25   (3)

...... and on.... and on......

https://www.abuseipdb.com/check/107.77.173.27

[deanwebb]

Not the first time those three octets have been mentioned in a post discussing getting hacked after a FB convo with someone from the Greater Chicago area.

https://forums.tomshardware.com/threads/unnerved-about-being-hacked.3628605/

Facebook hacking comes from installing apps that want to use your FB profile for stuff and then turn around and open the door for someone else. Also from giving out personal details. Also also from clicking on links that you shouldn't have clicked on.

Contact ATT abuse with the time and date of the attacks and they'll be able to find out exactly which customer had issues with you at that time - and keep in mind that it could very well have been someone proxying through that other party's PC from another source location.

[jessjot]

This is kinda chilling, looking up the IP that was hacked in my email.
BTW I'm absolutely NOBODY.   I don't work in politics, in fact I'm laid off, lol..... I have no idea why someone would want to sit and monitor me.  They were in there for over a week before I noticed.

https://whois.arin.net/rest/net/NET-107-64-0-0-1/pft?s=107.77.173.4

>>>
Point of Contact
Note   ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2019-12-05
>>>

This subnet, if you forgive my bad teminology (107.77.173) is hacking a LOT of people.   I can only guestimate by the numbers I'm seeing on abuseidp.com, maybe 10% of the attempts were actually noticed and reported on the website (1200).   That could easily work out to 12,000 hacking attempts over several years.
But what are those first three numbers, a network?   A server?  Or is it the designation of an IP provider.
All of the hacks I've seen have always had the first 3, and always show that location.

I called AT&T and was transfered around about 18 times, and was told absolutely nothing.  They don't even have a place to report a bad IP.
They basically tried to sell me stuff, then thank you buh-bye.
Strangely no matter where I get transferred at AT&T the same Malaysian woman seems to answer.    And its been that way for years lol.

     

[deanwebb]

If you think that one is bad, take a look at the subnet in Shanghai that the Chinese military uses for cyberattacks.

Also, have you changed your passwords, made sure your email is the email of record for your accounts, and gotten your Windows Defender up-to-date?

[jessjot]

I've got hopes he'll bet bored with me and/or can't crack 2 factor authentication lol.
Anyway I talked to this person.  Or at least texted with them.
They claimed to be in school getting an AI degree, and he bragged about speaking Russian.  I saw him texting with someone on FB in that, too.  FB auto-translated it all.
It might have been his native language, I'm not sure.
Not to sound like a cliche (Russian hacker) but in this case it seemed true. 
What if they're using AI somehow, to hack sites?  You know.. run thousands of automated attacks....test their vulnerabilites, and the computer learns to crack in?
Government espionage?   LOL
I dunno.   I can go all day with ideas.   

I guess I'm not going to find anything out about this network.   So they get to snuff around and open my email at their leisure, hiding in their peachy anonymnity, nice.
I'm tired of only the hackers being in the know  :|

Anyway if anybody has the skills as a white hat and is curious, msg me I'll give you what I've got.   Could earn you a gryffindor badge.....

[deanwebb]

AI has been hacking away for some time, in terms of running brute force and dictionary attacks on unprotected sites about 25 years ago, give or take. Since then, the tools have developed to be able to detect and then exploit shortcuts in passwords. For vulnerabilities, those are very very easy to find. All one needs is a port scanner and the knowledge about what to do with open ports. The tools are widely available and are either cheap or free.

The simplest block (shame on me for not thinking this earlier) is to go to your ISP router firewall configuration and just block all traffic from that subnet. If the attacks pivot and use a different subnet of origin after that, block that one as well. Once it's where the attacks are not worth the effort, they stop and move to the next target. Remember that attackers also have budgets and financial goals to meet. Enough obstruction and delay will steer them away.

If you are being personally targeted, that's a matter for law enforcement, as the lack of financial reward means the attacker is getting his return on investment in the form of knowingly causing you grief.

[icecream-guy]

just change all your passwords, have no further interaction with this person, dump all the social accounts, if you cannot,  call the company, tell them you are being harassed and to delete your account.  you are better off without all those online social accounts anyway.

[Dieselboy]

You got to use 2nd factor everywhere. It's the ONLY way to have some security these days. Even then, apparently the most common hacking is still social engineering.

IPs get re-used, as well as individuals getting hacked themselves and then being used as a place for hackers to start other attacks from.

Dont give out your info. Dont talk to people you dont know. Always use 2FA everywhere. Always do your updates. Don't use the same password everywhere.

The simplest block (shame on me for not thinking this earlier) is to go to your ISP router firewall configuration and just block all traffic from that subnet. If the attacks pivot and use a different subnet of origin after that, block that one as well. Once it's where the attacks are not worth the effort, they stop and move to the next target.

Traffic from the internet will hit the "deny any" rule on the last line of the rule list anyway.

If you are being personally targeted, that's a matter for law enforcement, as the lack of financial reward means the attacker is getting his return on investment in the form of knowingly causing you grief.

Yep, also it's harrassment.

Similarly, if you go into a public place like a public park and use a video camera to make a recording - then it's completely fine. But if you go into the same place and follow one person while recording them - then it's harrassment.

[jessjot]

I really don't have anything but the IP addresses which were already reported online.    And what was weird is looking at those, in many instances they claimed to know who was hacking them, and they were different people they knew personally (and not this guy at all, who I don't even know).   
Anyway, I'm just an old x-IT guy, and I never knew networking that well.    This is not my battle, so nix that contacting me thing.   I'm out of it.   

[deanwebb]

No worries. Password changes and keeping your AV solution up to date will be good enough countermeasures.

[config t]

just change all your passwords, have no further interaction with this person, dump all the social accounts, if you cannot,  call the company, tell them you are being harassed and to delete your account.  you are better off without all those online social accounts anyway.

This.