With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.
Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.
The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.
“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”
Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:
The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.
But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:
“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”
According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.
Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.
SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.
These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.
The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.
More on SocksEscort in an upcoming story.
July 29, 2022: 911 Proxy Service Implodes After Disclosing Breach
July 28, 2022: Breach Exposes Users of Microleaves Proxy Service
July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
This entry was posted on Tuesday 2nd of August 2022 03:31 PM
Oh the puns. Keep them coming, they’re great.
Honestly… giving it away in the open.
Honestly… giving it away in the open. Brian just gives away free puns. The more the merrier.
Celebrating a super minor nothing pun in a headline and playing imposter again? It’s no wonder you want to be other people JJ. If this is your best life I feel for you.
Not just the headline, those puns are everywhere in the article. Did you even read?
People who fawn over minor puns need to get out more. Yes it’s a witty writing style, no it’s not worth orgasm.
I don’t get what you’re talking about. Is this code for something?
So these miscreants will have a hard time proxies to hide their malware. Damn shame that.
Brian, I seriously hope you have some kind of personal security – an agency, whatever – for yourself and your family. The scum of the planet, as you well know, do not play nice.
Meanwhile, the rest of us deeply appreciate your work.
He’ll just kill ’em with kindness one by one as per usual. If that fails ninja training kicks in. People think all those gnomes in the yard are decorative. If only they knew. He never sleeps.
Celebrating a super minor nothing in a headline and playing imposter again? It’s no wonder you want to be other people. If this is your best life I feel for you.
Brian, I sincerely hope you have some kind of serious security for yourself and your family – the folks behind this do not play nice.
Meanwhile, the rest of us deeply appreciate your work.
Does this *really* only apply to malware proxies?
what are all the AdTech fraudsters to do now?
Your email address will not be published. Required fields are marked *
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Click image for my skimmer series.
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Why So Many Top Hackers Hail from Russia
The reasons for its decline
The Growing Tax Fraud Menace
File 'em Before the Bad Guys Can
A crash course in carding.
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.