Proxy 911 service implodes after breach disclosure – Krebs on Security


The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of MicrosoftWindows computers daily, announced this week that it was closing its doors following a data breach that destroyed key components of its business operations. The abrupt shutdown comes ten days after KrebsOnSecurity published an in-depth review of 911 and its links to shady pay-per-install affiliate programs that secretly bundled 911 proxy software with other titles, including utilities.” free” and pirated software.

911[.]re is was one of the first “home proxy” networks, which allows someone to rent a residential IP address to use as a relay for their Internet communications, offering anonymity and the benefit of being seen as a residential user surfing the web.

Residential proxy services are often marketed to people looking to evade country-specific blocking by major movie and streaming media providers. But some of them, like 911, build their networks in part by offering “free VPN” or “free proxy” services powered by software that turns the user’s PC into a traffic relay for others. users. In this scenario, users can indeed use a free VPN service, but they are often unaware that this will turn their computer into a proxy allowing others to use their Internet address to conduct online transactions.

From a website’s perspective, a residential proxy network user’s IP traffic appears to originate from the leased residential IP address, not from the proxy service customer. These services can be used legitimately for several commercial purposes – such as price comparisons or market intelligence – but they are heavily used to conceal cybercrime activities, as they can make it difficult to trace malicious traffic back to its end. original source.

As noted in KrebsOnSecurity’s July 19 article on 911, the proxy service operated several pay-per-install programs that paid affiliates to surreptitiously bundle proxy software with other software, constantly generating a steady stream of new proxies. for the service.

A cached copy of flashupdate[.]net around 2016, which shows that it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911 proxy software.

Hours after this story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent misuse of our services. Refilling proxy balance and registering new users are closed. We review every existing user, to make sure their use is legitimate and [in] compliance with our terms of use. »

During this announcement, all hell broke loose on various cybercrime forums, where many long-time 911 customers reported that they were unable to use the service. Others affected by the outage said it appeared 911 was trying to implement some sort of “know your customer” rules – that perhaps 911 was simply trying to weed out customers using the service to high volumes of cybercriminal activity.

Then, on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we have permanently closed 911 and all of its services on July 28.

According to 911, the service was hacked in early July and it was discovered that someone had manipulated the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles recharging accounts when users make financial deposits with the service.

“I don’t know how the hacker got in,” the 911 message reads. “Therefore, we have urgently shut down the charging system, registration of new users and an investigation has begun.”

911’s farewell message to its users, posted on the homepage on July 28, 2022.

However, the intruders entered, said 911, they also managed to crush the critical 911[.]servers, data and backups of such data.

“On July 28, a large number of users reported that they could not log into the system,” the statement continued. “We found that the data on the server had been maliciously damaged by the hacker, resulting in the loss of data and backups. His [sic] confirmed that the charging system was also hacked in the same way. We were forced to make this difficult decision due to the loss of important data that rendered the service unrecoverable.

Operated largely from China, 911 was an extremely popular service on many cybercrime forums, and it became something akin to critical infrastructure for that community after two of 911’s longtime competitors – malware-based proxy services VIP72 and LuxSocks – have closed in the past year.

Now, many crime forums that have relied on 911 for their operations are wondering aloud if there are alternatives that match the scale and usefulness offered by 911. The consensus seems to be a resounding “no”.

I suppose we may soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will emerge to meet what seems to be a growing demand for such services in time, with relatively low supply.

In the meantime, the absence of 911 may coincide with a measurable (if only short-lived) reprieve of unwanted traffic to major Internet destinations, including banks, retailers, and cryptocurrency platforms, as many former proxy service customers are scrambling to make other arrangements.

Riley Kilmerco-founder of the proxy-tracking service Spur.ussaid the 911 network will be difficult to replicate in the short term.

“My speculation is [911’s remaining competitors] are going to get a major short-term boost, but eventually a new player will come,” Kilmer said. “None of these are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. For fraud rates, attempts will continue but through these replacement services which should be easier to monitor and stop 911 had very clean IP addresses.

911 wasn’t the only major proxy provider to disclose an unauthenticated API breach this week: On July 28, KrebsOnSecurity reported that internal APIs exposed on the web leaked Microleaves’ customer database. , a proxy service that rotates the IP addresses of its clients. every five to ten minutes. This investigation showed that Microleaves – like 911 – had a long history of using pay-per-install systems to distribute its proxy software.


Comments are closed.