Tag Archive for: Proxy

No SOCKS, No Shoes, No Malware Proxy Services! – Krebs on Security

/in


With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”

NEW SOCKS, SAME OLD SHOES

Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the…

Source…

International Law Enforcement Partnership Takes Down Russian Botnet; Illicit Proxy Service Had Been Selling Hacked IP Addresses

/in


The US Department of Justice (DOJ), in partnership with law enforcement agencies from several European countries, has taken down a major Russian botnet that had compromised millions of devices worldwide. The botnet was essentially functioning as an underground proxy service provider for criminals, allowing for rental of the IP addresses attached to its collection of hacked IoT devices, Android phones and computers.

Russian botnet rented access to thousands of proxies for as little as $30 per day

RSOCKS is a Russian botnet that has been active since at least 2014, the first point at which its handlers began to advertise it openly on underground forums in the country. Over the years the botnet has amassed millions of devices in its collection, first focusing on compromising poorly secured Internet of Things (IoT) devices but soon moving on to include Android phones/tablets and even computers.

Illicit actors rented access to RSOCKS as a proxy service, primarily for the purpose of brute force / password guessing login campaigns, disguising the sources of traffic for phishing campaigns, and distributed denial of service (DDoS) attacks. This was as simple as accessing a dark web storefront that allowed rental of varying amounts of proxies by the day, ranging in price from $30 for 2,000 to $200 for 90,000.

Tom Garrubba (Risk, Cyber, and Privacy Executive, Shared Assessments) expands on the risk that these bogus proxy services present, and why takedowns of the ones of the magnitude of the Russian botnet are a major cybersecurity win: “It is great to see that law enforcement is making progress towards taking down these large botnets as of late. Botnets are so dangerous because they control large swaths of vulnerable computer systems at a scale unlike any other attack. Those infected computer pools can then be pointed at legitimate resources and cause havoc. Botnets can perform very disruptive attacks like Distributed Denial of Service or large-scale vulnerability exploitation to sell to initial access brokers who will later lend that access to ransomware gangs.”

There are legitimate proxy services in the world, but they cut off customers for engaging in the sort of cyber criminal…

Source…

Meet the Administrators of the RSOCKS Proxy Botnet – Krebs on Security

/in


Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam…

Source…

Hacking groups launching ‘cyber proxy war’ over Ukraine attacks by Russia

/in


Join today’s leading executives online at the Data Summit on March 9th. Register here.

Russia’s unprovoked invasion of Ukraine is leading hacking groups worldwide to increase their activities — in some cases to support a side, or possibly just to capitalize on the chaos.

Since the invasion of Ukraine earlier this week, the Anonymous hacker collective, the Conti ransomware gang and a threat actor in Belarus are among those that appear to have gotten more active — or at least expressed intentions to be. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning Thursday about a growing threat from an Iranian advanced persistent threat (APT) actor.

During the Cold War, “the superpowers fought many small wars by proxy,” said Sam Curry, CSO at Cybereason. “Today, we can expect a cyber proxy war to emerge.”

Anonymous

Anonymous has declared itself aligned with “Western allies” and said it would only target operations in Russia. The group has posted a number of claims on Twitter.

“The Anonymous collective is officially in cyber war against the Russian government,” the group tweeted.

On Thursday, Anonymous claimed on Twitter that it brought down numerous websites associated with the Russian government. Those included a state news site, RT News, which reportedly confirmed that it had experienced a distributed denial-of-service (DDoS) attack.

Calling the news site “propaganda,” Anonymous said the DDoS attack was carried out “in response to Kremlin’s brutal invasion of #Ukraine.”

Then on Friday, Anonymous tweeted that it has “successfully breached and leaked the database of the Russian Ministry of Defence website,” and claimed to have posted “all private data of the Russian MOD.” (The tweet was subsequently taken down because it “violated the Twitter Rules,” the site says.)

The group had earlier tweeted a video, featuring its signature Guy Fawkes-masked figure, saying that “if tensions continue to worsen in Ukraine, then we can take hostage industrial control systems.”

The involvement of Anonymous is not a surprise, since the group is “well-known for having a…

Source…