911 proxy service implodes after disclosing breach – Krebs on security

The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that has sold access to hundreds of thousands since 2015 Microsoft Windows computer daily, announced this week that it would be shutting down following a data breach that destroyed key components of its business operations. The sudden shutdown comes ten days after KrebsOnSecurity posted an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911 proxy software with other titles, including “free” utilities and pirated software.

911[.]ref. is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for their Internet communications, guaranteeing anonymity and the advantage of being perceived as a residential user browsing the web.

Residential proxy services are often marketed for people looking for the ability to circumvent country-specific blocking by major movie and media streaming providers. But some of them, like emergency health services, build their networks in part by offering “free VPN” or “free proxy” services powered by software that turns the user’s PC into a traffic relay for other users. In this scenario, users can actually use a free VPN service, but are often unaware that this will turn their computer into a proxy that allows others to use their internet address to transact online.

From a website’s perspective, the IP traffic of a user on a residential proxy network appears to be coming from the leased residential IP address, not the proxy service client. These services can be legitimately used for a variety of business purposes, such as price comparison or sales intelligence, but are heavily exploited to hide cybercrime activity because they can make it difficult to trace malicious traffic back to the original source.

As noted in KrebsOnSecurity’s July 19 story about 911, the proxy service ran multiple pay-per-install schemes that paid affiliates to covertly bundle the proxy software with other software, continually generating a steady stream of new proxies for the service.

A cached copy of flashupdate[.]net around 2016, showing that it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911 proxy software.

Within hours of that news, the emergency health services posted a notice at the top of its site, saying, “We are reviewing our network and adding a number of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing every existing user to ensure that their use is legitimate and [in] compliance with our Terms of Service. ”

With this announcement, all hell broke loose on various cybercrime forums, where many long-time customers of the emergency health service reported that they were unable to use the service. Others affected by the outage said it appeared that the emergency health services were trying to implement some sort of “know your customer” rules – that perhaps the emergency health services were just trying to eliminate those customers who use the service for highs. activity volumes of cybercriminals.

Then, on July 28, the 911 website began redirecting to an alert that said, “We are sorry to inform you that we permanently closed 911 and all its services on July 28.”

According to 911, the service was hacked in early July and someone was found to have manipulated the balances of a large number of user accounts. 911 claimed that the intruders abused an application programming interface (API) that manages the top-up of accounts when users make financial deposits with the service.

“I’m not sure how the hacker got in,” reads the 911 message. “Therefore, we urgently shut down the charging system, register a new user and start an investigation.”

The 911 farewell message to its users, posted on the home page on July 28, 2022.

However, the intruders got in, 911 said, they also managed to override the critical 911[.]re server, data and backup of such data.

“On July 28, a large number of users reported that they could not access the system,” the statement continues. “We found that the data on the server was maliciously damaged by the hacker, resulting in data loss and backups. His [sic] confirmed that the charging system was also hacked in the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable ”.

Operated largely outside of China, 911 was a hugely popular service in many cybercrime forums and has become something of a critical infrastructure for this community after two of 911’s longtime competitors: malware-based proxy services. VIP72 And Lux Socks – closed their doors last year.

Now, many in crime forums who have relied on the emergency health service for their operations are wondering aloud if there are alternatives that match the scale and usefulness offered by the emergency health service. The consensus seems to be a resounding “no”.

I imagine we may soon learn more about the security incidents that caused the emergency health services to implosion. And perhaps other proxy services will arise to meet what currently appears to be a burgeoning demand for such services, with relatively little supply.

Meanwhile, the absence of 911 could coincide with a measurable (albeit short-lived) lull in unwanted traffic to major Internet destinations, including banks, retailers, and cryptocurrency platforms, as many former clients of the proxy service rush to take. alternative agreements.

Riley Kilmerco-founder of the Spur.us proxy tracking service, said the 911 network will be difficult to replicate in the short term.

“My speculation is [911’s remaining competitors] they will get a major boost in the short term, but eventually a new player will arrive, “said Kilmer.” None of these are a good replacement for LuxSocks or 911. However, they will all allow anyone to use them. For the fraud rates, the attempts will continue but through these replacement services they should be easier to monitor and stop. 911 had very clean IP addresses. ”

911 wasn’t the only major proxy provider to reveal a breach this week related to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal web-exposed APIs had leaked the customer database for Microleaves, a proxy service. which rotates the IP addresses of its customers every five to ten minutes. That investigation showed that Microleaves, like 911, had a long history of using pay-per-install schemes to spread its proxy software.

Leave a Reply

%d bloggers like this: