911 proxy service explodes after breach is disclosed – Krebs on security

911 service was in existence until July 28, 2022.

911[.]Again, a proxy service that has used hundreds of thousands of . have sold access Microsoft Windows Computer Daily, announced this week that it was shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt shutdown comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs, along with other titles including “free” utilities and pirated software proxies of 911. The software was bundled in secret.

911[.]again Is The original was one of the “residential proxy” networks, which allowed someone to rent a residential IP address to use as a relay for their Internet communications, providing anonymity and access to a residential IP address on the Web. Gives the advantage of being treated as a user.

Residential proxy services are often marketed by major movie and media streaming providers to people wanting the ability to avoid country-specific blocking. But some of them — like 911 — build their networks by offering “free VPN” or “free proxy” services that are powered by software that turns a user’s PC into a traffic relay to other users. In this scenario, users actually access a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that allows others to use their Internet address to conduct online transactions. gives.

From a website’s perspective, a residential proxy network user’s IP traffic originates from a rented residential IP address, not a proxy service subscriber. These services can be used legitimately for many business purposes – such as price comparison or sales intelligence – but they are extensively misused to hide cybercrime activity because they trace malicious traffic to its original source. Can make it difficult to detect.

as mentioned in KrebsOnSecurity’s July 19 story on 911The proxy service operated a number of pay-per-install schemes that paid affiliates to covertly bundle proxy software with other software, generating a steady stream of new proxies for the service.

Cached copy of flashupdate[.]net circa 2016, indicating that it was the homepage of a pay-per-install affiliate program that encouraged silent installation of 911’s proxy software.

Within hours of that story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent abuse of our services.” Proxy balance top-up and new user registration are closed We are reviewing each existing user to ensure their use is legitimate and [in] compliance with our Terms of Service.”

Upon this announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported that they were unable to access the service. Others affected by the outage said it appeared that 911 was trying to enforce some sort of “know your customer” rules – perhaps those customers using the service for high amounts of 911 cybercriminal activity. was trying to get out.

Then on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we permanently closed 911 and all of its services on July 28.”

According to 911, the service was hacked in early July, and it was discovered that someone had manipulated the balances of a large number of user accounts. 911 said the intruders misused an application programming interface (API) that handles the topping up of accounts when users make financial deposits with the service.

“Not sure how hacker got in,” the 911 message reads. “Therefore, we closed the instant recharge system, new user registration and started an investigation.”

A farewell message to 911 for its users, posted on the homepage on July 28, 2022.

Although the intruders got in, 911 said, they also managed to overwrite the critical 911[.]Again the server, the data and the backup of that data.

“On July 28, a large number of users reported that they could not log into the system,” the statement continues. “We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] Confirmed that the recharge system was also hacked in the same way. We were forced to make this difficult decision due to the loss of critical data that made the service inaccessible. ,

Largely operating out of China, 911 was a hugely popular service in many cybercrime forums, and it became something of a critical infrastructure for this community after 911’s two longtime competitors – malware-based proxy services. VIP72 And luxsocks , closed its doors in the past year,

Now, many people on crime forums who have relied on 911s for their actions are wondering aloud whether there is an alternative that matches the scale and usefulness of what 911s have to offer. The consensus seems to be a resounding “no”.

I think we may soon learn more about the security incidents that led to the 911 explosion. And perhaps other proxy services will emerge to meet the growing demand for such services at this time with relatively short supply.

Meanwhile, the absence of 911 may coincide with a measurable (if only short-term) increase in unwanted traffic to top Internet destinations, including banks, retailers and cryptocurrency platforms, as many former customers of the proxy service scramble to make alternative arrangements. Huh.

riley kilmerCo-founder of proxy-tracking service Spur.usSaid that the network of 911 would be difficult to replicate in the short term.

“I speculate [911’s remaining competitors] There is going to be a big boost in the short term, but a new player will eventually come along,” Kilmer said. “None of them are a good replacement for LuxSox or 911. However, they will all allow anyone to use them. For fraud rates, efforts will continue but through these replacement services that are easier to monitor and prevent.” Must have been. 911 had some very neat IP addresses.”

911 wasn’t the only major proxy provider to uncover a breach involving unauthorized APIs this week: on July 28, KrebsOnSecurity reported that Internal API exposed to the web leaked the customer database for Microlives, a proxy service that rotates the IP addresses of its customers every five to ten minutes. That investigation showed that microlives — like 911 — had a long history of using pay-per-install schemes to spread their proxy software.

Be the first to comment

Leave a Reply

Your email address will not be published.


*