911 Proxy Service Implodes After Disclosing Breach – Krebs on Security

911 Proxy Service Implodes After Disclosing Breach – Krebs on Security

The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it will be shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt shutdown comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911 proxy software with other titles, including “free” utilities and pirated software.

911[.]re it is was one of the original “residential proxy” networks, allowing someone to rent a residential IP address to use as a relay for their Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

Residential proxy services are often marketed to people looking for the ability to bypass country-specific blocking by major movie and media streaming providers. But some of them, like 911, build their networks in part by offering “free VPN” or “free proxy” services that run software that turns a user’s PC into a traffic relay for other users. In this scenario, users can actually use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that allows others to use their Internet address for online transactions.

From a website perspective, a residential proxy network user’s IP traffic appears to originate from the leased residential IP address, not from the proxy service customer. These services can be used legitimately for various business purposes, such as price comparisons or sales intelligence, but are widely abused to hide cybercrime activity because they can make it difficult to trace malicious traffic back to its original source.

As noted in KrebsOnSecurity’s July 19 911 story, the proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle proxy software with other software, continually generating a steady stream of new proxies. for the service.

A cached copy of flashupdate[.]net around 2016, showing that it was the homepage of a pay-per-install affiliate program that incentivized silent installation of 911 proxy software.

Within hours of that story, 911 posted a notice at the top of its site that read, “We are reviewing our network and adding a number of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing all existing users to ensure their use is legitimate and [in] compliance with our Terms of Service.”

In this announcement, all hell broke loose on various cybercrime forums, with many former 911 customers reporting that they were unable to use the service. Others affected by the outage said it appeared that 911 was trying to implement some sort of “know your customer” rules, that perhaps 911 was just trying to weed out customers who use the service for high volumes of criminal activity. cybernetics.

Then, on July 28, the 911 website began redirecting to a notice that read, “We regret to inform you that we are permanently closing 911 and all of its services on July 28.”

According to 911, the service was hacked in early July and someone was found to have tampered with the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles account top-up when users make financial deposits with the service.

“I’m not sure how the hacker got in,” the 911 message says. “Therefore, we urgently shut down the top-up system, new user registration, and an investigation has been launched.”

911’s farewell message to its users, posted on the home page on July 28, 2022.

However, the intruders broke in, said 911, managed to overwrite the critical 911 as well[.]re servers, data, and backups of that data.

“On July 28, a large number of users reported that they were unable to log into the system,” the statement continues. “We discovered that the hacker maliciously damaged the data on the server, resulting in loss of data and backups. Their [sic] confirmed that the reloading system was also hacked in the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable.”

Operated largely out of China, 911 was a hugely popular service in many cybercrime forums, becoming something of a critical infrastructure for this community after two of 911’s long-standing competitors: cybercrime services. malware-based proxies. VIP72 Y luxsocks — closed their doors last year.

Now, many on crime forums who have relied on 911 for their operations are wondering aloud if there is an alternative that matches the scale and utility that 911 offers. The consensus seems to be a resounding “no.”

I guess we’ll soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will emerge to meet what seems to be a growing demand for such services right now, with comparatively little supply.

Meanwhile, the absence of 911 may coincide with a measurable (albeit short-lived) relief in unwanted traffic to major Internet destinations, including banks, retailers, and cryptocurrency platforms, as many former clients of the proxy service they rush to make alternative arrangements.

Riley Kilmerco-founder of proxy tracking service Spur.us, said the 911 network will be difficult to replicate in the short term.

“My speculation is [911’s remaining competitors] they’re going to get a big boost in the short term, but eventually a new player will come along,” Kilmer said. “None of those are good replacements for LuxSocks or 911s. All of them will allow anyone to wear them though. For fraud rates, the attempts will continue but through these replacement services which should be easier to monitor and stop. 911 had some very clean IP addresses.”

Leave a Comment

Your email address will not be published.