Fake ISP HM Customs And Excise HQ UK Network

I was looking at the server logs when I detected multiple visitors coming from the HM Customs And Excise HQ Network, the UK government agency in charge of collecting custom duties at the border. I became mistrustful of so many visits from the same government department, using IPs 163.172.209.46, 163.172.145.100, 163.175.5.218 and others in the same range.

The first thing I did was a traceroute and I found out that 163.172.209.46 was in fact not located in the UK but in France, I then looked at the host name, as you can see in the picture it reads watchme.tor-exit.network, at the URL there is a message displayed saying that they are Tor Exit Router.

Additionaly I reaserched open data with DuckDuckGo and I uncovered a customer of a VPN company complaining in a blog that his OpenVPN French node was being identified on the Internet as belonging to UK Customs and Excise. Futhermore, I have discovered numerous warez and porn websites like Yellowasians identifying themselves as being hosted by Her Majesty Customs and Excise HQ.

Fake ISP Customs And Excise UK

What happened here? I suspect the network administraror entered as an IP owner HM Customs and Excise HQ when in reality their hosting company is Online.net, a subsidiary of the Iliad Group, a French company renting dedicated servers in France, also being marketed as Dedibox.

Likely they are doing this to avoid being blocked, many data centers out there block Tor exit nodes and this way it makes them harder to spot, the hostname is not always labelled you would need a traceroute to know this is not a UK IP, another benefit is that with this French IP you should be able to watch online TV restricted to UK viewers like the BBC iPlayer, but malicious bots can also use the craft to gather information before a hacking attack or spam.

I don’t know if it is legal impersonating a government agency in the IP, that is for lawyers to say and it will likely differ from country to country. I am only posting the information to help out other webmasters seeing multiple visits from a UK government to their site, no, they are not monitoring you, it is a fake ID.