August 2, 2022

With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”

Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:

“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”

According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.

Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.

Image: Spur.us

SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.

The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.

More on SocksEscort in an upcoming story.

Further reading:

July 29, 2022: 911 Proxy Service Implodes After Disclosing Breach

July 28, 2022: Breach Exposes Users of Microleaves Proxy Service

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’

June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet

June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet

Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark


20 thoughts on “No SOCKS, No Shoes, No Malware Proxy Services!

    1. JimpersonatingJ

      Honestly… giving it away in the open.
      Brian just gives away free puns. The more the merrier.

      Reply
      1. Honestly

        Celebrating a super minor nothing pun in a headline and playing imposter again?
        It’s no wonder you want to be other people JJ. If this is your best life I feel for you.

        Reply
        1. Douglas

          Not just the headline, those puns are everywhere in the article. Did you even read?

          Reply
          1. Did you even comprehend?

            People who fawn over minor puns need to get out more.
            Yes it’s a witty writing style, no it’s not worth orgasm.

            Reply
            1. Douglas

              Who is fawning? All I see is a compliment to Brian Krebs. Are you someone who gets offended by someone else’s compliment? That’s petty nonsense. Why are you so easily offended?

              Reply
      2. Douglas

        I don’t get what you’re talking about. Is this code for something?

        Reply
  1. Jon Marcus

    So these miscreants will have a hard time proxies to hide their malware. Damn shame that.

    Good work!

    Reply
  2. mark

    Brian, I seriously hope you have some kind of personal security – an agency, whatever – for yourself and your family. The scum of the planet, as you well know, do not play nice.

    Meanwhile, the rest of us deeply appreciate your work.

    Reply
    1. mealy

      He’ll just kill ’em with kindness one by one as per usual. If that fails ninja training kicks in.
      People think all those gnomes in the yard are decorative. If only they knew. He never sleeps.

      Reply
      1. Honestly

        Celebrating a super minor nothing in a headline and playing imposter again?
        It’s no wonder you want to be other people. If this is your best life I feel for you.

        Reply
    2. The other Brian

      And think he was fired from WaPo because “fAr RiGHttttt”

      Keep the good job Brian

      Reply
  3. mark

    Brian, I sincerely hope you have some kind of serious security for yourself and your family – the folks behind this do not play nice.

    Meanwhile, the rest of us deeply appreciate your work.

    Reply
  4. 4Bosd5Security

    criminals right now use xded rdp shop :/ Make own proxy is easy but criminals are dummy af.. shodan is free and rce exploits for iot are free too.

    Reply

Leave a Reply

Your email address will not be published.