Class Action Targets Experian Over Account Security

August 5, 2022

A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.

The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian’s documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.

In July’s Experian, You Have Some Explaining to Do, we heard from two different readers who had security freezes on their credit files with Experian and who also recently received notifications from Experian that the email address on their account had been changed. So had their passwords and account PIN and secret questions. Both had used password managers to pick and store complex, unique passwords for their accounts.

Both were able to recover access to their Experian account simply by recreating it — sharing their name, address, phone number, social security number, date of birth, and successfully gleaning or guessing the answers to four multiple choice questions that are almost entirely based on public records (or else information that is not terribly difficult to find).

Here’s the bit from that story that got excerpted in the class action lawsuit:

KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

In response to my story, Experian suggested the reports from readers were isolated incidents, and that the company does all kinds of things it can’t talk about publicly to prevent bad people from abusing its systems.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

That sounds great, but since that story ran I’ve heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account. Continue reading

Scammers Sent Uber to Take Elderly Lady to the Bank

August 4, 2022

Email scammers sent an Uber to the home of an 80-year-old woman who responded to a well-timed email scam, in a bid to make sure she went to the bank and wired money to the fraudsters.  In this case, the woman figured out she was being scammed before embarking for the bank, but her story is a chilling reminder of how far crooks will go these days to rip people off.

Travis Hardaway is a former music teacher turned app developer from Towson, Md. Hardaway said his mother last month replied to an email she received regarding an appliance installation from BestBuy/GeekSquad. Hardaway said the timing of the scam email couldn’t have been worse: His mom’s dishwasher had just died, and she’d paid to have a new one delivered and installed.

“I think that’s where she got confused, because she thought the email was about her dishwasher installation,” Hardaway told KrebsOnSecurity.

Hardaway said his mom initiated a call to the phone number listed in the phony BestBuy email, and that the scammers told her she owed $160 for the installation, which seemed right at the time. Then the scammers asked her to install remote administration software on her computer so that they could control the machine from afar and assist her in making the payment.

After she logged into her bank and savings accounts with scammers watching her screen, the fraudster on the phone claimed that instead of pulling $160 out of her account, they accidentally transferred $160,000 to her account. They said they they needed her help to make sure the money was “returned.”

“They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.'” Continue reading

Advertisement

No SOCKS, No Shoes, No Malware Proxy Services!

August 2, 2022

With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”

Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:

“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”

According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.

Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.

Image: Spur.us

Continue reading

911 Proxy Service Implodes After Disclosing Breach

July 29, 2022

The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.

911[.]re is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

As noted in KrebsOnSecurity’s July 19 story on 911, the proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle the proxy software with other software, continuously generating a steady stream of new proxies for the service.

A cached copy of flashupdate[.]net circa 2016, which shows it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.

Within hours of that story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”

At this announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported they were unable to use the service. Others affected by the outage said it seemed 911 was trying to implement some sort of “know your customer” rules — that maybe 911 was just trying to weed out those customers using the service for high volumes of cybercriminal activity.

Then on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we permanently shut down 911 and all its services on July 28th.”

According to 911, the service was hacked in early July, and it was discovered that someone manipulated the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles the topping up of accounts when users make financial deposits with the service.

“Not sure how did the hacker get in,” the 911 message reads. “Therefore, we urgently shut down the recharge system, new user registration, and an investigation started.”

The parting message from 911 to its users, posted to the homepage July 28, 2022.

However the intruders got in, 911 said, they managed to also overwrite critical 911[.]re servers, data and backups of that data. Continue reading

Breach Exposes Users of Microleaves Proxy Service

July 28, 2022

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles.

The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.

Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes.

The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.

In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.”

Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “Shifter.io.” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.

From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs.

Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service.

Proxy traffic related to top Microleaves users, as exposed by the website’s API.

The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly.

One of BlackHatWorld’s moderators asked the administrator of the forum to review the Microleaves post.

“User states has 150k proxies,” the forum skeptic wrote. “No seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. That’s the only way you will get 150k.”

Microleaves has long been classified by antivirus companies as adware or as a “potentially unwanted program” (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some “free” download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the user’s Internet connection as a proxy without notifying the user.

“While working, these Trojans pose as Microsoft Windows Update,” Kaspersky wrote.

In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service — reverseproxies[.]com — was now offering an “Auto CAPTCHA Solving Service,” which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously.

“We break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,” Microleaves wrote. “As you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!” Continue reading

A Retrospective on the 2015 Ashley Madison Breach

July 26, 2022

It’s been seven years since the online cheating site AshleyMadison.com was hacked and highly sensitive data about its users posted online. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. To date, little is publicly known about the perpetrators or the true motivation for the attack. But a recent review of Ashley Madison mentions across Russian cybercrime forums and far-right websites in the months leading up to the hack revealed some previously unreported details that may deserve further scrutiny.

As first reported by KrebsOnSecurity on July 19, 2015, a group calling itself the “Impact Team” released data sampled from millions of users, as well as maps of internal company servers, employee network account information, company bank details and salary information.

The Impact Team said it decided to publish the information because ALM “profits on the pain of others,” and in response to a paid “full delete” service Ashley Madison parent firm Avid Life Media offered that allowed members to completely erase their profile information for a $19 fee.

According to the hackers, although the delete feature promised “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — weren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

A snippet of the message left behind by the Impact Team.

The Impact Team said ALM had one month to take Ashley Madison offline, along with a sister property called Established Men. The hackers promised that if a month passed and the company did not capitulate, it would release “all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”

Exactly 30 days later, on Aug. 18, 2015, the Impact Team posted a “Time’s up!” message online, along with links to 60 gigabytes of Ashley Madison user data.

AN URGE TO DESTROY ALM

One aspect of the Ashley Madison breach that’s always bothered me is how the perpetrators largely cast themselves as fighting a crooked company that broke their privacy promises, and how this narrative was sustained at least until the Impact Team decided to leak all of the stolen user account data in August 2015.

Granted, ALM had a lot to answer for. For starters, after the breach it became clear that a great many of the female Ashley Madison profiles were either bots or created once and never used again. Experts combing through the leaked user data determined that fewer than one percent of the female profiles on Ashley Madison had been used on a regular basis, and the rest were used just once — on the day they were created. On top of that, researchers found 84 percent of the profiles were male.

But the Impact Team had to know that ALM would never comply with their demands to dismantle Ashley Madison and Established Men. In 2014, ALM reported revenues of $115 million. There was little chance the company was going to shut down some of its biggest money machines.

Hence, it appears the Impact Team’s goal all along was to create prodigious amounts of drama and tension by announcing the hack of a major cheating website, and then letting that drama play out over the next few months as millions of exposed Ashley Madison users freaked out and became the targets of extortion attacks and public shaming.

Robert Graham, CEO of Errata Security, penned a blog post in 2015 concluding that the moral outrage professed by the Impact Team was pure posturing.

“They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it’s fun and #2 because they can,” Graham wrote.

Per Thorsheim, a security researcher in Norway, told Wired at the time that he believed the Impact Team was motivated by an urge to destroy ALM with as much aggression as they could muster.

“It’s not just for the fun and ‘because we can,’ nor is it just what I would call ‘moralistic fundamentalism,'” Thorsheim told Wired. “Given that the company had been moving toward an IPO right before the hack went public, the timing of the data leaks was likely no coincidence.”

NEO-NAZIS TARGET ASHLEY MADISON CEO

As the seventh anniversary of the Ashley Madison hack rolled around, KrebsOnSecurity went back and looked for any mentions of Ashley Madison or ALM on cybercrime forums in the months leading up to the Impact Team’s initial announcement of the breach on July 19, 2015. There wasn’t much, except a Russian guy offering to sell payment and contact information on 32 million AshleyMadison users, and a bunch of Nazis upset about a successful Jewish CEO promoting adultery. Continue reading

Massive Losses Define Epidemic of ‘Pig Butchering’

July 21, 2022

U.S. state and federal investigators are being inundated with reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering,” wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

The term “pig butchering” refers to a time-tested, heavily scripted, and human-intensive process of using fake profiles on dating apps and social media to lure people into investing in elaborate scams. In a more visceral sense, pig butchering means fattening up a prey before the slaughter.

“The fraud is named for the way scammers feed their victims with promises of romance and riches before cutting them off and taking all their money,” the Federal Bureau of Investigation (FBI) warned in April 2022. “It’s run by a fraud ring of cryptocurrency scammers who mine dating apps and other social media for victims and the scam is becoming alarmingly popular.”

As documented in a series of investigative reports published over the past year across Asia, the people creating these phony profiles are largely men and women from China and neighboring countries who have been kidnapped and trafficked to places like Cambodia, where they are forced to scam complete strangers over the Internet — day after day.

The most prevalent pig butchering scam today involves sophisticated cryptocurrency investment platforms, where investors invariably see fantastic returns on their deposits — until they try to withdraw the funds. At that point, investors are told they owe huge tax bills. But even those who pay the phony levies never see their money again.

The come-ons for these scams are prevalent on dating sites and apps, but they also frequently start with what appears to be a wayward SMS — such as an instant message about an Uber ride that never showed. Or a reminder from a complete stranger about a planned meetup for coffee. In many ways, the content of the message is irrelevant; the initial goal to simply to get the recipient curious enough to respond in some way.

Those who respond are asked to continue the conversation via WhatsApp, where an attractive, friendly profile of the opposite gender will work through a pre-set script that is tailored to their prey’s apparent socioeconomic situation. For example, a divorced, professional female who responds to these scams will be handled with one profile type and script, while other scripts are available to groom a widower, a young professional, or a single mom.

‘LIKE NOTHING I’VE SEEN BEFORE’

That’s according to Erin West, deputy district attorney for Santa Clara County in Northern California. West said her office has been fielding a large number of pig butchering inquiries from her state, but also from law enforcement entities around the country that are ill-equipped to investigate such fraud.

“The people forced to perpetrate these scams have a guide and a script, where if your victim is divorced say this, or a single mom say this,” West said. “The scale of this is so massive. It’s a major problem with no easy answers, but also with victim volumes I’ve never seen before. With victims who are really losing their minds and in some cases are suicidal.”

West is a key member of REACT, a task force set up to tackle especially complex forms of cyber theft involving virtual currencies. West said the initial complaints from pig butchering victims came early this year.

“I first thought they were one-off cases, and then I realized we were getting these daily,” West said. “A lot of them are being reported to local agencies that don’t know what to do with them, so the cases languish.”

West said pig butchering victims are often quite sophisticated and educated people.

“One woman was a university professor who lost her husband to COVID, got lonely and was chatting online, and eventually ended up giving away her retirement,” West recalled of a recent case. “There are just horrifying stories that run the gamut in terms of victims, from young women early in their careers, to senior citizens and even to people working in the financial services industry.”

In some cases reported to REACT, the victims said they spent days or weeks corresponding with the phony WhatsApp persona before the conversation shifted to investing.

“They’ll say ‘Hey, this is the food I’m eating tonight’ and the picture they share will show a pretty setting with a glass of wine, where they’re showcasing an enviable lifestyle but not really mentioning anything about how they achieved that,” West said. “And then later, maybe a few hours or days into the conversation, they’ll say, ‘You know I made some money recently investing in crypto,’ kind of sliding into the topic as if this wasn’t what they were doing the whole time.”

Curious investors are directed toward elaborate and official-looking online crypto platforms that appear to have thousands of active investors. Many of these platforms include extensive study materials and tutorials on cryptocurrency investing. New users are strongly encouraged to team up with more seasoned investors on the platform, and to make only small investments that they can afford to lose.

The now-defunct homepage of xtb-market[.]com, a scam cryptocurrency platform tied to a pig butchering scheme.

“They’re able to see some value increase, and maybe even be allowed to take out that value increase so that they feel comfortable about the situation,” West said. Some investors then need little encouragement to deposit additional funds, which usually generate increasingly higher “returns.”

West said many crypto trading platforms associated with pig butchering scams appear to have been designed much like a video game, where investor hype is built around upcoming “trading opportunities” that hint at even more fantastic earnings.

“There are bonus levels and VIP levels, and they’ll build hype and a sense of frenzy into the trading,” West said. “There are definitely some psychological mechanisms at work to encourage people to invest more.”

“What’s so devastating about many of the victims is they lose that sense of who they are,” she continued. “They thought they were a savvy, sophisticated person, someone who’s sort of immune to scams. I think the large scale of the trickery and psychological manipulation being used here can’t be understated. It’s like nothing I’ve seen before.”

A $5,000,000 LOSS

Courtney Nolan, a divorced mother of three daughters, says she lost more than $5 million to a pig butchering scam. Nolan lives in St. Louis and has a background in investment finance, but only started investing in cryptocurrencies in the past year.

Nolan’s case may be especially bad because she was already interested in crypto investing when the scammer reached out. At the time, Bitcoin was trading at or near all-time highs of nearly $68,000 per coin.

Nolan said her nightmare began in late 2021 with a Twitter direct message from someone who was following many of the same cryptocurrency influencers she followed. Her fellow crypto enthusiast then suggested they continue their discussion on WhatsApp. After much back and forth about his trading strategies, her new friend agreed to mentor her on how to make reliable profits using the crypto trading platform xtb.com.

“I had dabbled in leveraged trading before, but his mentor program gave me over 100 pages of study materials and agreed to walk me through their investment strategies over the course of a year,” Nolan told KrebsOnSecurity.

Nolan’s mentor had her create an account website xtb-market[.]com, which was made to be confusingly similar to XTB’s official platform. The site promoted several different investment packages, including a “starter plan” that involves a $5,250 up-front investment and promises more than 15 percent return across four separate trading bursts.

Platinum plans on xtb-market promised a whopping 45 percent ROI, with a minimum investment of $265,000. The site also offered a generous seven percent commission for referrals, which encouraged new investors to recruit others.

The now-defunct xtb-market[.]com.

While chatting via WhatsApp, Nolan and her mentor would trade side by side in xtb-market, initially with small investments ranging from $500 to $5,000. When those generated hefty returns, Nolan made bigger deposits. On several occasions she was able to withdraw amounts ranging from $10,000 to $30,000.

But after investing more than $4.5 million of her own money over nearly four months, Nolan found her account was suddenly frozen. She was then issued a tax statement saying she owed nearly $500,000 in taxes before she could reactivate her account or access her funds.

Nolan said it seems obvious in hindsight that she should never have paid the tax bill. Because xtb-market and her mentor cut all communications with her after that, and the entire website disappeared just a few weeks later. Continue reading

A Deep Dive Into the Residential Proxy Service ‘911’

July 18, 2022

The 911 service as it exists today.

For the past seven years, an online service known as 911 has sold access to hundreds of thousands of Microsoft Windows computers daily, allowing customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 says its network is made up entirely of users who voluntarily install its “free VPN” software. But new research shows the proxy service has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.

911[.]re is one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

The current prices for 911’s proxies.

Researchers at the University of Sherbrooke in Canada recently published an analysis of 911, and found there were roughly 120,000 PCs for rent via the service, with the largest number of them located in the United States.

“The 911[.]re network uses at least two free VPN services to lure its users to install a malware-like software that achieves persistence on the user’s computer,” the researchers wrote. “During the research we identified two free VPN services that [use] a subterfuge to lure users to install software that looks legitimate but makes them part of the network. These two software are currently unknown to most if not all antivirus companies.”

A depiction of the Proxygate service. Image: University of Sherbrooke.

The researchers concluded that 911 is supported by a “mid scale botnet-like infrastructure that operates in several networks, such as corporate, government and critical infrastructure.” The Canadian team said they found many of the 911 nodes available for rent were situated within several major US-based universities and colleges, critical infrastructures such as clean water, defense contractors, law enforcement and government networks.

Highlighting the risk that 911 nodes could pose to internal corporate networks, they observed that “the infection of a node enables the 911.re user to access shared resources on the network such as local intranet portals or other services.”

“It also enables the end user to probe the LAN network of the infected node,” the paper continues. “Using the internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling further attacks.”

The 911 user interface, as it existed when the service first launched in 2016.

Continue reading

Why 8kun Went Offline During the January 6 Hearings

July 15, 2022

The latest Jan. 6 committee hearing on Tuesday examined the role of conspiracy theory communities like 8kun[.]top and TheDonald[.]win in helping to organize and galvanize supporters who responded to former President Trump’s invitation to “be wild” in Washington, D.C. on that chaotic day. At the same time the committee was hearing video testimony from 8kun founder Jim Watkins, 8kun and a slew of similar websites were suddenly yanked offline. Watkins suggested the outage was somehow related to the work of the committee, but the truth is KrebsOnSecurity was responsible and the timing was pure coincidence.

In a follow-up video address to his followers, Watkins said the outage happened shortly after the Jan. 6 committee aired his brief video testimony.

“Then everything that I have anything to do with seemed to crash, so that there was no way for me to go out and talk to anybody,” Watkins said. “The whole network seemed to go offline at the same time, and that affected a lot of people.”

8kun and many other sites that continue to push the false narrative that the 2020 election was stolen from the 45th president have long been connected to the Internet via VanwaTech, a hosting firm based in Vancouver, Wash. In late October 2020, a phone call to VanwaTech’s sole provider of connectivity to the Internet resulted in a similar outage for 8kun.

Jim Waktins (top right), in a video address to his followers on Tuesday after 8kun was taken offline.

Following that 2020 outage, 8kun and a large number of QAnon conspiracy sites found refuge in a Russian hosting provider. But when the anonymous “Q” leader of QAnon suddenly began posting on 8kun again earlier this month, KrebsOnSecurity received a tip that 8kun was once again connected to the larger Internet via a single upstream provider based in the United States.

On Sunday, July 10, KrebsOnSecurity contacted Psychz Networks, a hosting provider in Los Angeles, to see if they were aware that they were the sole Internet lifeline for 8kun et. al.  Psychz confirmed that in response to a report from KrebsOnSecurity, VanwaTech was removed from its network around the time of the Jan. 6 hearing on Tuesday.

8kun and its archipelago of conspiracy theory communities have once again drifted back into the arms of a Russian hosting provider (AS207651), which is connected to the larger Internet via two providers. Those include AS31500 — which appears to be owned by Russians but is making a fair pretense at being located in the Caribbean; and AS28917, in Vilnius, Lithuania.

8kun’s newfound Russian connections will likely hold, but Lithuania may be a different story. Late last month, pro-Russian hackers claimed responsibility for an extensive distributed denial-of-service (DDoS) attack against Lithuanian state and private websites, which reportedly was in response to Vilnius’s decision to cease the transit of some goods under European Union sanctions to Russia’s Kaliningrad exclave.

Many have speculated that Jim Watkins and/or his son Ron are in fact “Q,” the anonymous persona behind the QAnon conspiracy theory, which held that Former President Trump was secretly working to save the world from a satanic cult of pedophiles and cannibals.

8chan/8kun has been linked to white supremacism, neo-Nazism, antisemitism, multiple mass shootings, and is known for hosting child pornography. After three mass shootings in 2019 revealed the perpetrators had spread their manifestos on 8chan and even streamed their killings live there, 8chan was ostracized by one Internet provider after another.

In 2019, the FBI identified QAnon as a potential domestic terror threat, noting that some of its followers have been linked to violent incidents motivated by fringe beliefs.

The Jan. 6 hearing referenced in this story is available via CSPAN.

Microsoft Patch Tuesday, July 2022 Edition

July 12, 2022

Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.

In February, security experts hailed Microsoft’s decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.

Macros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft’s plan, the new warnings provided no such way to enable the macros.

As Ars Technica veteran reporter Dan Goodin put it, “security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.”

But last week, Microsoft abruptly changed course. As first reported by BleepingComputer, Redmond said it would roll back the changes based on feedback from users.

“While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,” Bleeping’s Sergiu Gatlan wrote.

Microsoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.

The zero-day Windows vulnerability already seeing active attacks is CVE-2022-22047, which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro’s Zero Day Initiative notes that while this bug is listed as being under active attack, there’s no information from Microsoft on where or how widely it is being exploited.

“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” ZDI’s Dustin Childs wrote. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.” Continue reading