No SOCKS, no shoes, no malicious proxy services! – Krebs on security
With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the internet. To compound the problem, several remnant malware-based proxy services opted to block new registrations to avoid overwhelming their networks with a sudden influx of customers.
Last week, a seven-year-old proxy service called 911[.]re abruptly announced that it was shutting down for good after a cybersecurity breach allowed unknown intruders to destroy its servers and delete customer data and backups. 911 already looked like critical infrastructure to many in the cybercriminal community after its two main competitors – VIP72 and LuxSocks — closed or have been closed by the authorities in the last 10 months.
Underground cybercrime forums are now inundated with calls from people desperate for a new provider of plentiful, cheap and reliable proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are still plenty of smaller proxy services left, few are capable on their own of absorbing today’s demand.
“Everyone is looking for an alternative bro,” wrote one BlackHatForums user on August 1 in response to one of the many “alternative 911” threads. “No one knows of an equivalent alternative to 911[.]re. Their service in terms of value and affordability compared to other proxy providers was unmatched. Hope someone comes up with a great alternative to 911[.]re.”
NEW SOCKS, EVEN OLD SHOES
Among the most frequently recommended alternatives to 911 are SocksEscort[.]coma malware-based proxy network that has been around since at least 2010. Here’s what part of their current homepage looks like:
But faced with a deluge of new registrations following the 911 implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:
“Due to unusually high demand and heavy load on our servers, we have had to block all new registrations. We will not be able to support our proxies otherwise and will therefore be closing SocksEscort. We will resume registrations right after the decline in demand. Thank you for your understanding and sorry for the inconvenience.”
According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines proxying traffic for SocksEscort customers have been infected with malware that turn them into traffic relays.
Spur claims that SocksEscort’s proxy service relies on software designed to run on Windows computers and currently leases access to more than 14,000 hacked computers worldwide. That’s a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.
SocksEscort is what is called a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows internet users to funnel their web traffic through a proxy server, which then forwards the information to the intended destination. From a website’s perspective, the traffic from the proxy network client appears to be coming from a rented/malware infected PC linked to a residential ISP client, not from the proxy service client.
These services can be used legitimately for several commercial purposes, such as price comparisons or sales information, but they are heavily used to conceal cybercrime activities, as they make it difficult to trace malicious traffic until its original source.
The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth review of the long-running proxy service, which showed that 911 has a habit of prompting its proxy software to be installed without notice or user consent, and that he was actually performing some of these “pay”. “per install” alone to ensure a steady supply of freshly hacked PCs.
This story also showed once again that the people who build and rent these botnets are surprisingly easy to identify in real life, especially since they operate malware-based anonymity services that enable many cybercrime activities.
This was again the case with SocksEscort. Hilariously, the common thread that revealed the real identities of people running this SOCKS service was that they all worked for the same online shoe store.
SocksEscort[.]com was originally registered with the email address “[email protected]“, which according to DomainTools.com was used to register a handful of related domains, including its previous incarnation – super-socks[.]business. Cached versions of the site show that in 2010 the software that powers the network was produced with a copyright of “escort software.”
Super socks[.]biz went live around the same time as another domain registered on this “michdomain” email: IP-score[.]comwhich quickly became shorthand on several cybercrime forums for a service that could tell visitors if their Internet address — or more specifically, the proxy they were using — was flagged by security software or service as compromised or malicious.
IP-score offered a revenue-sharing program for websites that chose to embed its IP-score code, and the copyright on this user bar program was “angry coders.”
A roundup of Internet addresses historically used by Super-socks[.]biz and socksEscort[.]com reveals that these domains at various times over the years have shared an Internet address with a small number of other domains, including angry coders[.]report, iskusnyh[.]proand kc-shoes[.]ru.
Cached copies of angercoders[.]net from the Wayback Machine don’t reveal much about this particular group of Angry Coders, but a search of the domain brings up several now inactive listings for Angry Coders based in Omsk, a major city in the Siberian region of Russia. The domain was registered in 2010 at a Oleg Iskushnykh from Omsk, who used the e-mail address [email protected].
According to Constella Intelligence [currently an advertiser on KrebsOnSecurity]Oleg used the same password from his [email protected] account for a multitude of other “iboss”-themed email addresses, one of which is linked to a LinkedIn profile for one Oleg Iskhusnyh, who described as a senior web developer living in Nursultan, Kazakhstan.
Iskusnyh’s Github profile shows that he has contributed code to a number of online payment-related technologies and services, including Ingenico ePayments, Swedbank WooCommerce, Mondido Payments and Reepay.
DON’T JUDGE A MAN UNTIL YOU HAVE WALKED A MILE IN HIS SOCKS
The various “iboss” email accounts appear to have been shared by multiple parties. A search of Constella’s Breached Entities Database at “[email protected]” reveals that a person using the name Oleg Iskusnyh registered an online profile using a phone number in Bronx, New York . Pivot to this phone number — 17187154415 – reveals a profile exposed in the breach of the commercial intelligence company Apollo with the first name “Dmitry” who used the e-mail address [email protected].
This email is connected to a LinkedIn profile for a Dmitry Chepurko in Pavlodar, Kazakhstan. Chepurko’s CV states that he is a full stack developer, having recently worked in the Omsk offices of a German footwear company called K.C. shoes (aforementioned kc-shoes.ru). Chepurko’s CV indicates that he worked alone for a decade using the freelance platform Upwork.
The Upwork profile listed on Chepurko’s LinkedIn resume is no longer active. But that same now-defunct Upwork account link is still listed as the profile of a “Dmitry C.” in an UpWork profile page for the Angry Coders team in Omsk, Russia.
Who is the “Alexander S.” listed above under “Agency Members” in the Upwork profile for Angry Coders? Historical DNS records from Farsight Security show that angularcoders.net previously included the “smollalex.angrycoders” subdomain.[.]report”.
A simple Internet search on “kc-shoes” reveals a Github account for a user from Omsk with the first name Alexander and the account name “Smollalex”. Alexander’s Github account indicates that he also contributed code to the kc-shoes website.
Constella’s service shows that “Smollalex” was a favorite handful chosen by a Alexander Smolyaninov from Omsk. The Smollalex Github account links this individual to a company in Omsk that sells parts for oil and gas pipelines.
That shoes are apparently the common link between the Angry Coders responsible for SocksEscort is doubly amusing because – at least according to posts on some cybercrime forums – one of the main reasons people turn to these proxy services is the “shoe botting” or “sneaker bots,” which refers to the use of automated bot programs and services that assist in the rapid acquisition of limited release, highly sought-after designer sneakers that can then be resold to huge margins in the secondary markets.
It is unclear if members of the Angry Coders team remain affiliated with SocksEscort; none of them responded to requests for comment. There were certain links clearly made throughout the research mentioned above that the Angry Coders have outsourced much of the promotion and support of their proxy service to programmers based in India and Indonesia, where apparently a large part of its customers currently reside.
July 29, 2022: 911 Proxy Service implodes after revealing breach
July 28, 2022: Breach exposes users of Microleaves proxy service
July 18, 2022: A deep dive into the “911” residential proxy service
June 28, 2022: The link between the AWM proxy and the Glupteba botnet
June 22, 2022: Meet the RSOCKS Proxy Botnet Administrators
September 1, 2021: VIP72, a 15-year-old malware proxy network, goes down