911 Proxy Service Implodes After Disclosure of Breach – Krebs on Security

911 Proxy Service Implodes After Disclosure of Breach – Krebs on Security

911 Proxy Service Implodes After Disclosure of Breach – Krebs on Security

911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is closing in the wake of a data breach that destroyed key components of its business operations. The abrupt shutdown comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” tools and pirated software.

911[.]re is was one of the original “residential proxy” networks, allowing someone to rent a residential IP address to use as a relay for his/her internet communications, providing anonymity and the benefit of being perceived as a private user browsing the web.

Residential proxy services are often marketed to people seeking the ability to avoid country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services powered by software that turns the user’s PC into a traffic relay for other users. In this scenario, users actually get to use a free VPN service, but they are often unaware that it will turn their computer into a proxy that allows others to use their Internet address to shop online.

From a website’s perspective, the IP traffic of a home proxy network user appears to originate from the leased IP address, not from the proxy service customer. These services can be used legitimately for several business purposes – such as price comparisons or sales information – but they are massively misused to hide cybercrime because they can make it difficult to trace malicious traffic to its original source.

As noted in KrebsOnSecurity’s July 19 story on 911, the proxy service operated several pay-per-install schemes that paid affiliates to covertly bundle the proxy software with other software, continuously generating a steady stream of new proxies for the service.

A cached copy of flashupdate[.]net circa 2016, showing it was the home page of a pay-per-install affiliate program that encouraged the silent installation of 911’s proxy software.

Within hours of that story, 911 posted a message at the top of its page, saying, “We are reviewing our network and adding a number of security measures to prevent abuse of our services. Topping up authorization balances and new user registration are closed. We are considering all existing users to ensure that their use is legitimate and [in] compliance with our terms of use.”

Upon this announcement, all hell broke loose on various cybercrime forums, with many longtime 911 customers reporting that they were unable to use the service. Others affected by the outage said it seemed like 911 was trying to implement some kind of “know your customer” rules — that maybe 911 was just trying to weed out those customers who were using the service for large amounts of cybercriminal activity.

On July 28, the 911 website began redirecting to a message that said, “We regret to inform you that we permanently shut down 911 and all of its services on July 28.”

According to 911, the service was hacked in early July and it was discovered that someone was manipulating the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles topping up accounts when users make financial deposits with the service.

“Not sure how the hacker got in,” the 911 message said. “Therefore, we quickly closed the charging system, new user registration and an investigation started.”

The farewell message from 911 to users, posted on the website on 28 July 2022.

Regardless of how the intruders got in, 911 said, they also managed to overwrite critical 911[.]re servers, data and backup copies of this data.

“On July 28, a large number of users reported that they were unable to log into the system,” the statement continues. “We found that the data on the server was damaged by the hacker, resulting in the loss of data and backups. It is [sic] confirmed that the charging system was also hacked in the same way. We were forced to make this difficult decision due to the loss of important data which meant that service could not be restored.”

Operating primarily from China, 911 was a hugely popular service across many cybercrime forums, and it became something like critical infrastructure for that community after two of 911’s longtime competitors – malware-based proxy services VIP72 and LuxSocks — closed its doors in the past year.

Now, many in the crime forums that relied on 911 for their operations are wondering aloud if there are any alternatives that match the scope and utility that 911 offered. The consensus seems to be a resounding “no”.

I guess we may soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will emerge to meet what appears to be a growing demand for such services at the moment, with relatively little supply.

Meanwhile, 911’s absence may coincide with a measurable (albeit short-lived) reprieve in unwanted traffic to top Internet destinations, including banks, retailers and cryptocurrency platforms, as many former customers of the proxy service try to find alternative arrangements.

Riley Kilmerco-founder of proxy tracking service Spur.us, said 911’s network will be difficult to replicate in the short term.

“My speculation is [911’s remaining competitors] is going to get a big boost in the short term, but a new player will eventually come, said Kilmer. “None of these are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. For fraud rates, attempts will continue, but through these replacement services that should be easier to monitor and stop. 911 had some very clean IP- addresses.”

911 wasn’t the only major proxy provider to disclose a breach this week related to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database of Microleaves, a proxy service that rotates customers’ IP addresses every five to tenth minute. This investigation revealed that Microleaves – like 911 – had a long history of using pay-per-install schemes to spread its proxy software.

Leave a Reply

Your email address will not be published.