911 proxy service implodes after breach disclosure – Krebs on Security

911 proxy service implodes after breach disclosure – Krebs on Security

911 proxy service implodes after breach disclosure – Krebs on Security

The 911 service as it existed through July 28, 2022.

911[.]re, a proxy service that has sold access to hundreds of thousands since 2015 MicrosoftWindows Computers daily, announced this week that it is shutting down after a data breach that destroyed vital components of its business operations. The abrupt shutdown comes ten days after KrebsOnSecurity released an in-depth look at 911 and its ties to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software .

911[.]concerning is was one of the original “Residential Proxy” networks, allowing someone to rent a private IP address to use as a relay for his/her Internet communications, offering anonymity and the benefit of being perceived as a private user , surfing the internet.

Residential proxy services are often marketed to people who want a way to bypass country-specific blocking imposed by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services powered by software that turns the user’s PC into a traffic relay for other users. In this scenario, users can indeed use a free VPN service, but they are often unaware that this turns their computer into a proxy, allowing others to use their Internet address to transact online.

From a website’s perspective, a private proxy network user’s IP traffic appears to originate from the rented private IP address, not the proxy service’s client. These services can be used legitimately for various business purposes – like price comparison or sales information – but they are widely misused to conceal cybercrime activity as they can make it difficult to trace malicious traffic back to its original source.

As mentioned in the July 19th KrebsOnSecurity story on 911, the proxy service operated multiple pay-per-install schemes that paid affiliates to covertly bundle the proxy software with other software, thereby continually generating a steady stream of new ones Proxies for the service was generated.

A cached copy of flashupdate[.]net circa 2016, showing that it was the homepage of a pay-per-install affiliate program that incentivized unattended installation of 911’s proxy software.

Within hours of this news, 911 posted a notice at the top of its website that read: “We are reviewing our network and adding a number of security measures to prevent abuse of our services. Proxy balance top-up and new user registration is closed. We screen each existing user to ensure their use is legitimate and [in] Compliance with our Terms of Use.”

With that announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported being unable to use the service. Others affected by the outage said that 911 appeared to be trying to implement some kind of “know your customer” rule — that perhaps 911 was just trying to weed out those customers who use the service for high volume cybercriminal activity.

Then, on July 28, the 911 website began redirecting to a notice that read, “We regret to inform you that we permanently shut down 911 and all of its services on July 28.”

According to 911, the service was hacked in early July and it was discovered that someone had tampered with the balances of a large number of user accounts. 911 said the intruders hijacked an application programming interface (API) that handles account top-ups when users make financial deposits using the service.

“I’m not sure how the hacker got in,” the 911 message said. “Therefore, we urgently shut down the charging system, registered new users and launched an investigation.”

911’s farewell message to its users, published on the homepage on July 28, 2022.

However the intruders got in, 911 said they also managed to override critical 911s[.]Re-server, data and backups of this data.

“On July 28, a large number of users reported that they could not log into the system,” the statement continued. “We discovered that the data on the server was maliciously corrupted by the hacker, resulting in loss of data and backups. It is [sic] confirmed that the charging system was also hacked in the same way. We were forced to make this difficult decision as important data was lost, which made it impossible to restore service.”

911, largely operated out of China, has been an enormously popular service on many cybercrime forums and has become a sort of critical infrastructure for this community after 911’s two long-time competitors – malware-based proxy services VIP72 and LuxSocks – closed their doors last year.

Now, many on the crime forums who have relied on 911 for their operations are wondering aloud if there are alternatives that match the scope and utility that 911 offered. The consensus seems to be a resounding “no”.

I suspect we’ll soon learn more about the security incidents that led to the implosion of the 911 number. And perhaps other proxy services will emerge to meet the seemingly growing demand for such services with comparatively little supply.

Meanwhile, the absence of 911 could coincide with a measurable (if short-lived) respite in unwanted traffic to top Internet destinations, including banks, retailers, and cryptocurrency platforms, as many former customers of the proxy service scramble to take alternative precautions .

Riley KilmerCo-founder of proxy tracking service Spur.us, said 911’s network will be difficult to replicate in the short term.

“My speculation is [911’s remaining competitors] will get a big boost in the short term, but eventually a new player will come along,” Kilmer said. “None of these are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. Fraud rates will continue, but through these backup services, which should be easier to monitor and stop. 911 had some very clean IP addresses.”

911 wasn’t the only major proxy provider to disclose a breach related to unauthenticated APIs this week: On July 28, KrebsOnSecurity reported that internal APIs exposed to the Internet compromised the customer database of Microleaves, a proxy service, which rotates its customers’ IP addresses, was leaked every five to ten minutes. This investigation revealed that Microleaves – like 911 – had a long history of using pay-per-install schemes to distribute its proxy software.

Leave a Reply

Your email address will not be published.