A Deep Dive Into the Residential Proxy Service ‘911’ – Krebs on Security

fc40

fc40

fc40 For the past seven years, fc40 an online service known as fc40 fc40 911 fc40 has sold access to fc40 hundreds of thousands of fc40 Microsoft Windows fc40 computers daily, allowing customers fc40 to route their Internet traffic fc40 through PCs in virtually any fc40 country or city around the fc40 globe — but predominantly in fc40 the United States. 911 says fc40 its network is made up fc40 entirely of users who voluntarily fc40 install its “free VPN” software. fc40 But new research shows the fc40 proxy service has a long fc40 history of purchasing installations via fc40 shady “pay-per-install” affiliate marketing schemes, fc40 some of which 911 operated fc40 on its own.

fc40

fc40 911[.]re is one of the fc40 original “ fc40 residential proxy fc40 ” networks, which allow someone fc40 to rent a residential IP fc40 address to use as a fc40 relay for his/her Internet communications, fc40 providing anonymity and the advantage fc40 of being perceived as a fc40 residential user surfing the web.

fc40

fc40 From a website’s perspective, the fc40 IP traffic of a residential fc40 proxy network user appears to fc40 originate from the rented residential fc40 IP address, not from the fc40 proxy service customer. These services fc40 can be used in a fc40 legitimate manner for several business fc40 purposes — such as price fc40 comparisons or sales intelligence — fc40 but they are massively abused fc40 for hiding cybercrime activity because fc40 they can make it difficult fc40 to trace malicious traffic to fc40 its original source.

fc40

fc40 Residential proxy services are often fc40 marketed to people seeking the fc40 ability to evade country-specific blocking fc40 by the major movie and fc40 media streaming providers. But some fc40 of them — like 911 fc40 — build their networks in fc40 part by offering “free VPN” fc40 or “free proxy” services that fc40 are powered by software which fc40 turns the user’s PC into fc40 a traffic relay for other fc40 users. In this scenario, users fc40 indeed get to use a fc40 free VPN service, but they fc40 are often unaware that doing fc40 so will turn their computer fc40 into a proxy that lets fc40 others use their Internet address fc40 to transact online.

fc40

fc40

fc40 Researchers at the fc40 University of Sherbrooke fc40 in Canada recently fc40 published an analysis of 911 fc40 , and found there were fc40 roughly 120,000 PCs for rent fc40 via the service, with the fc40 largest number of them located fc40 in the United States.

fc40

fc40 “The 911[.]re network uses at fc40 least two free VPN services fc40 to lure its users to fc40 install a malware-like software that fc40 achieves persistence on the user’s fc40 computer,” the researchers wrote. “During fc40 the research we identified two fc40 free VPN services that [use] fc40 a subterfuge to lure users fc40 to install software that looks fc40 legitimate but makes them part fc40 of the network. These two fc40 software are currently unknown to fc40 most if not all antivirus fc40 companies.”

fc40

fc40

fc40 The researchers concluded that 911 fc40 is supported by a “mid fc40 scale botnet-like infrastructure that operates fc40 in several networks, such as fc40 corporate, government and critical infrastructure.” fc40 The Canadian team said they fc40 found many of the 911 fc40 nodes available for rent were fc40 situated within several major US-based fc40 universities and colleges, critical infrastructures fc40 such as clean water, defense fc40 contractors, law enforcement and government fc40 networks.

fc40

fc40 Highlighting the risk that 911 fc40 nodes could pose to internal fc40 corporate networks, they observed that fc40 “the infection of a node fc40 enables the 911.re user to fc40 access shared resources on the fc40 network such as local intranet fc40 portals or other services.”

fc40

fc40 “It also enables the end fc40 user to probe the LAN fc40 network of the infected node,” fc40 the paper continues. “Using the fc40 internal router, it would be fc40 possible to poison the DNS fc40 cache of the LAN router fc40 of the infected node, enabling fc40 further attacks.”

fc40

fc40

fc40 THE INTERNET NEVER FORGETS

fc40

fc40 A review of the clues fc40 left behind by 911’s early fc40 days on the Internet paint fc40 a more complete picture of fc40 this long-running proxy network. The fc40 domain names used by 911 fc40 over the years have a fc40 few common elements in their fc40 original WHOIS registration records, including fc40 the address fc40 ustraffic@qq.com fc40 and a fc40 Yunhe Wang fc40 from Beijing.

fc40

fc40 That ustraffic email is tied fc40 to a small number of fc40 interesting domains, including fc40 browsingguard[.]com fc40 , fc40 cleantraffic[.]net fc40 , fc40 execlean[.]net fc40 , fc40 proxygate[.]net fc40 , and fc40 flashupdate[.]net fc40 .

fc40

fc40 A fc40 cached copy of flashupdate[.]net available fc40 at the Wayback Machine fc40 shows that in 2016 fc40 this domain was used for fc40 the “ fc40 ExE Bucks fc40 ” affiliate program, a pay-per-install fc40 business which catered to people fc40 already running large collections of fc40 hacked computers or compromised websites. fc40 Affiliates were paid a set fc40 amount for each installation of fc40 the software, with higher commissions fc40 for installs in more desirable fc40 nations, particularly Europe, Canada and fc40 the United States.

fc40

fc40 “We load only one software fc40 — it’s a Socks5 proxy fc40 program,” read the message to fc40 ExE Bucks affiliates. The website fc40 said affiliates were free to fc40 spread the proxy software by fc40 any means available (i.e. “all fc40 promotion methods allowed”). The website’s fc40 copyright suggests the ExE Bucks fc40 affiliate program dates back to fc40 2012.

fc40

fc40

fc40 Another domain tied to the fc40 ustraffic@qq.com email in 2016 was fc40 fc40 ExeClean[.]net fc40 , a service that advertised fc40 to cybercriminals seeking to obfuscate fc40 their malicious software so that fc40 it goes undetected by all fc40 or at least most of fc40 the major antivirus products on fc40 the market.

fc40

fc40 “Our technology ensures the maximum fc40 security from reverse engineering and fc40 antivirus detections,” ExEClean promised.

fc40

fc40

fc40 Yet another domain connected to fc40 the ustraffic email is fc40 p2pshare[.]net fc40 , which advertised “free unlimited fc40 internet file-sharing platform” for those fc40 who agreed to install their fc40 software.

fc40

fc40

fc40 Still more domains associated with fc40 ustraffic@qq.com suggest 911’s proxy has fc40 been disguised as security updates fc40 for video player plugins, including fc40 flashplayerupdate[.]xyz, mediaplayerupdate[.]xyz, and videoplayerupdate[.]xyz.

fc40

fc40 The fc40 earliest version of the 911 fc40 website available from the Wayback fc40 Machine is from 2016 fc40 . A sister service called fc40 fc40 proxygate[.]ne fc40 t fc40 launched roughly a year fc40 prior to 911 as a fc40 “free” public test of the fc40 budding new residential proxy service. fc40 “Basically using clients to route fc40 for everyone,” was how Proxygate fc40 described itself in 2016.

fc40

fc40 For more than a year fc40 after its founding, the 911 fc40 website was written entirely in fc40 Simplified Chinese. The service has fc40 only ever accepted payment via fc40 virtual currencies such as fc40 Bitcoin fc40 and fc40 Monero fc40 , as well as fc40 Alipay fc40 and fc40 China UnionPay fc40 , both payment platforms based fc40 in China.

fc40

fc40 Initially, the terms and conditions fc40 of 911’s “End User License fc40 Agreement (EULA) named a company fc40 called fc40 Wugaa Enterprises LLC fc40 , which was registered in fc40 California in 2016. Records from fc40 the California Secretary of State fc40 office show that in November fc40 2016, Wugaa Enterprises said it fc40 was in the Internet advertising fc40 business, and had named as fc40 its CEO as one fc40 Nicolae Aurelian Mazgarean fc40 of Brasov, Romania.

fc40

fc40 A search of European VAT fc40 numbers shows the same Brasov, fc40 RO address tied to an fc40 enterprise called fc40 PPC Leads SRL fc40 (in the context of fc40 affiliate-based marketing, “PPC” generally refers fc40 to the term “pay-per-click”).

fc40

fc40 911’s EULA would later change fc40 its company name and address fc40 in 2017, to fc40 International Media Ltd fc40 . in the British Virgin fc40 Islands. That is the same fc40 information currently displayed on the fc40 911 website.

fc40

fc40 The EULA attached to 911 fc40 software downloaded from fc40 browsingguard[.]com fc40 (tied to the same fc40 ustraffic@qq email that registered 911) fc40 references a company called fc40 Gold Click Limited fc40 . According to the UK fc40 Companies House, Gold Click Limited fc40 was registered in 2016 to fc40 a 34-year-old fc40 Yunhe Wang fc40 from Beijing City. Many fc40 of the WHOIS records for fc40 the above mentioned domains also fc40 include the name Yunhe Wang, fc40 or some variation thereof.

fc40

fc40 In a response to questions fc40 from KrebsOnSecurity, 911 said the fc40 researchers were wrong, and that fc40 911 has nothing to do fc40 with any of the other fc40 domains mentioned above.

fc40

fc40 “We have 911 SDK link fc40 and how it works described fc40 clearly in the “Terms of fc40 use” of affiliated partners products, fc40 and we have details of fc40 how the community powered network fc40 works on our webpages,” read fc40 an email response.

fc40

fc40 “Besides that, for protecting the fc40 end users, we banned many fc40 domains’ access and blocked the fc40 vulnerable ports, e.g. fc40 spamming emails, and torrent is fc40 not possible from the 911 fc40 network,” the reply continued. “Same fc40 as scanning and many others…Accessing fc40 to the Lan network and fc40 router is also blocked. We fc40 are monitoring 911 user’s account fc40 closely, once any abnormal behavior fc40 detected, we suspend the user’s fc40 account right away.”

fc40

fc40 FORUM ACTIVITY?

fc40

fc40 911 has remained one of fc40 the most popular services among fc40 denizens of the cybercrime underground fc40 for years, becoming almost shorthand fc40 for connecting to that “last fc40 mile” of cybercrime. Namely, the fc40 ability to route one’s malicious fc40 traffic through a computer that fc40 is geographically close to the fc40 consumer whose credit card they’re fc40 about to charge at some fc40 website, or whose bank account fc40 they’re about to empty.

fc40

fc40 Given the frequency with which fc40 911 has been praised by fc40 cybercrooks on the top forums, fc40 it was odd to find fc40 the proprietors of 911 do fc40 not appear to have created fc40 any official support account for fc40 the service on any of fc40 several dozen forums reviewed by fc40 this author going back a fc40 decade. However there are two fc40 cybercriminal identities on the forums fc40 that have responded to individual fc40 911 help requests, and who fc40 promoted the sale of 911 fc40 accounts via their handles.

fc40

fc40 Both of these identities were fc40 active on the crime forum fc40 fc40 fl.l33t[.]su fc40 between 2016 and 2019. fc40 The user “ fc40 Transfer fc40 ” advertised and sold access fc40 to 911 from 2016 to fc40 2018, amid many sales threads fc40 where they advertised expensive electronics fc40 and other consumer goods that fc40 were bought online with stolen fc40 credit cards.

fc40

fc40 In a 2017 discussion on fc40 fc40 fl.l33t[.]su fc40 , the user who picked fc40 the handle “ fc40 527865713 fc40 ” could be seen answering fc40 private messages in response to fc40 help inquiries seeking someone at fc40 911. That identity is tied fc40 to an individual who for fc40 years advertised the ability to fc40 receive and relay large wire fc40 transfers from China.

fc40

fc40 One ad from this user fc40 in 2016 offered a “China fc40 wire service” focusing on Western fc40 Union payments, where “all transfers fc40 are accepted in China.” The fc40 service charged 20 percent of fc40 all “scam wires,” unauthorized wire fc40 transfers resulting from bank account fc40 takeovers or scams like fc40 CEO impersonation schemes fc40 .

fc40

fc40 911 TODAY

fc40

fc40 In August 2021, 911’s biggest fc40 competitor — a 15-year-old proxy fc40 network built on malware-compromised PCs fc40 called fc40 VIP72 fc40 — fc40 abruptly closed up shop fc40 . Almost overnight, an overwhelming fc40 number of former VIP72 customers fc40 began shifting their proxy activities fc40 to 911.

fc40

fc40

fc40 That’s according to fc40 Riley Kilmer fc40 , co-founder of fc40 Spur.us fc40 — a security company fc40 that monitors anonymity services. Kilmer fc40 said 911 also gained an fc40 influx of new customers after fc40 the Jan. 2022 fc40 closure of LuxSocks fc40 , another malware-based proxy network. fc40

fc40

fc40 “911’s user base skyrocketed after fc40 VIP72 and then LuxSocks went fc40 away,” Kilmer said. “And it’s fc40 not hard to see why. fc40 911 and VIP72 are both fc40 Windows-based apps that operate in fc40 a similar way, where you fc40 buy private access to IPs.”

fc40

fc40 Kilmer said 911 is interesting fc40 because it appears to be fc40 based in China, while nearly fc40 all of the other major fc40 proxy networks are Russian-backed or fc40 Russian-based.

fc40

fc40 “They have two basic methods fc40 to get new IPs,” Kilmer fc40 said. “The free VPN apps, fc40 and the other is trojanized fc40 torrents. They’ll re-upload Photoshop and fc40 stuff like that so that fc40 it’s backdoored with the 911 fc40 proxy. They claim the proxy fc40 is bundled with legitimate software fc40 and that users all agree fc40 to their Terms of Service, fc40 meanwhile they can hide behind fc40 the claim that it was fc40 some affiliate who installed the fc40 software, not them.”

fc40

fc40 Kilmer said at last count, fc40 911 had nearly 200,000 proxy fc40 nodes for sale, spanning more fc40 than 200 countries: The largest fc40 geographic concentration is the United fc40 States, where more than 42,000 fc40 proxies are currently for rent fc40 by the service.

fc40

fc40 PARTING THOUGHTS

fc40

fc40 Beware of “free” or super fc40 low-cost VPN services. Proper VPN fc40 services are not cheap to fc40 operate, so the revenue for fc40 the service has to come fc40 from somewhere. And there are fc40 countless “free” VPN services that fc40 are anything but, as we’ve fc40 seen with 911.

fc40

fc40 In general, the rule of fc40 thumb for transacting online is fc40 that if you’re not the fc40 paying customer, then you and/or fc40 your devices are probably the fc40 product that’s being sold to fc40 others. Many free VPN services fc40 will enlist users as VPN fc40 nodes for others to use, fc40 and some even offset costs fc40 by collecting and reselling data fc40 from their users.

fc40

fc40 All VPN providers claim to fc40 prioritize the privacy of their fc40 users, but many then go fc40 on to collect and store fc40 all manner of personal and fc40 financial data from those customers. fc40 Others are fairly opaque about fc40 their data collection and retention fc40 policies.

fc40

fc40 I’ve fc40 largely avoided fc40 wading into the fray fc40 about which VPN services are fc40 best, but there are so fc40 many shady and just plain fc40 bad ones out there that fc40 I’d be remiss if I fc40 didn’t mention one VPN provider fc40 whose business practices and transparency fc40 of operation consistently distinguish them fc40 from the rest. If maintaining fc40 your privacy and anonymity are fc40 primary concerns for you as fc40 a VPN user, check out fc40 Mullvad.net.

fc40

fc40 Let me make clear that fc40 KrebsOnSecurity does not have any fc40 financial or business ties to fc40 this company (for the avoidance fc40 of doubt, this post doesn’t fc40 even link to them). I fc40 mention it only because I’ve fc40 long been impressed with their fc40 candor and openness, and because fc40 Mullvad goes out of its fc40 way to discourage customers from fc40 sharing personal or financial data.

fc40

fc40 To that end, Mullvad will fc40 even accept mailed payments of fc40 cash to fund accounts, quite fc40 a rarity these days. More fc40 importantly, the service doesn’t ask fc40 users to share phone numbers, fc40 email addresses or any other fc40 personal information. Nor does it fc40 require customers to create passwords: fc40 Each subscription can be activated fc40 just by entering a Mullvad fc40 account number (woe to those fc40 who lose their account number). fc40

fc40

fc40 I wish more companies would fc40 observe this remarkably economical security fc40 practice, which boils down to fc40 the mantra, “You don’t have fc40 to protect what you don’t fc40 collect.”

fc40