There is currently something of a supply chain crisis engulfing the underground of the Internet as a result of the recent loss of numerous well-known “proxy” services that allowed hackers to route their destructive traffic through compromised PCs. Compounding the issue, a few malware-based proxy services that are still in operation have decided to prohibit new registrations in order to prevent overwhelming their networks with an unexpected flood of users.

A seven-year-old proxy business called 911[.]re abruptly announced last week that it was permanently closing after an unidentified hacker was able to destroy its servers, remove user data, and wipe backups. After its main two rivals VIP72 and LuxSocks closed or were shut down by authorities during the previous 10 months, 911 was already seen by many in the cybercriminal ecosystem as a crucial infrastructure.

In order to relaunch their enterprises, people are frantically looking for a new supplier of plentiful, affordable, and consistently clean proxies, and the underground cybercrime forums are suddenly inundated with their cries. While there are still many smaller proxy services, the general perception seems to be that those times are passed and that few of them are able to meet the present demand on their own.

One of the many “911 alternative” discussion threads received a reply from a BlackHatForums user on August 1 that said, “Everybody is seeking for an alternative, bro.” “No one is aware of a comparable substitute for 911.re. Their service was superior to other proxy providers in terms of value and accessibility. I hope someone comes up with a fantastic 911 alternative.

NEW SOCKS, SAME OLD SHOES

SocksEscort[.]com, a malware-based proxy network that has existed since at least 2010, is one of the more often suggested alternatives to 911. Here is a screenshot of a portion of their current homepage:

But in the wake of 911’s collapse, SocksEscort was one of the last seasoned proxy services to decide to shut its doors to new registrants, replacing its registration page with the phrase:

“We have to block all new registrations due to unusually strong demand and significant load on our servers. Otherwise, we won’t be able to support our proxies, and we’ll have to shut down SocksEscort. Once demand decreases, we will start accepting registrations again. I apologize for the inconvenience and appreciate your understanding.

SocksEscort is a malware-based proxy service, which means the machines handling traffic proxies for SocksEscort customers have been infected with malicious software that transforms them into zombies, claims Spur.us, a firm that watches proxy services.

According to Spur, SocksEscort’s proxy service uses software intended for Windows computers and currently rents out access to more than 14,000 compromised systems throughout the world. That is a significant reduction from 911’s proxy inventory, which just a few days ago offered more than 200,000 IP addresses for rent.

A “SOCKS Proxy” service is what SocksEscort is. Internet users can route their Web traffic via the SOCKS (or SOCKS5) protocol through a proxy server, which then forwards the data to the desired location. From a website’s point of view, the traffic of the proxy network client does not appear to come from the proxy service customer, but rather from a rented/malware-infected PC connected to a home ISP customer.

These services are widely abused to conceal criminal activity because they make it difficult to track harmful traffic back to its source, despite the fact that they can be used legitimately for a variety of business purposes, such as pricing comparisons or sales intelligence.

The outage at 911[.]re happened a few days after KrebsOnSecurity published a detailed analysis of the well-known proxy service. That analysis revealed that 911 had a history of encouraging proxy software installation without user knowledge or consent, and that it even operated some of these “pay-per-install” schemes on its own to ensure a steady supply of recently hacked PCs.

That incident also demonstrated once more how the individuals who create and rent out these botnets are remarkably simple to locate in the real world, especially given that they run malware-based anonymity businesses that facilitate a lot of illicit activity.

So it was once more with SocksEscort. Funny enough, the fact that they all worked for the same online shoe business revealed the genuine identity of the individuals running this SOCKS service.

ANGRY CODERS

 According to DomainTools.com, the email address “michdomain@gmail.com” was used to register a number of related domains, including SocksEscort[.]com’s earlier incarnation, super-socks[.]biz. Cache versions of the website indicate that in 2010, “Escort Software” built the software that runs the network.

Super-socks[.] ip-score[.]com, which quickly became shorthand on several cybercrime forums for a service that could tell visitors whether their Internet address — or more specifically, the proxy they were using — was flagged by any security software or services as compromised or malicious, went online around the same time as biz. This domain was registered to that “michdomain” email.

The copyright on that userbar application was “Angry Coders,” and IP-score offered a revenue-sharing programme for websites that decided to integrate its IP-scoring code.

Super-socks[.]biz and SocksEscort[.]com have shared Internet addresses with a few other domains over the years, including angrycoders[.]net, iskusnyh[.]pro, and kc-shoes[.]ru, according to an analysis of their past Internet addresses.

A search on the domain turns up several now-dormant listings for an angry coders organization situated in Omsk, a significant city in the Siberian area of Russia. Cache copies of angrycoders[.]net from the Wayback Machine don’t reveal anything about this specific group of unhappy programmers. Oleg Iskushnykh, a resident of Omsk, registered the name in 2010 using the email address iboss32@ro.ru.

Oleg used the same password from his iboss32@ro.ru account for a number of other “iboss” themed email addresses, according to Constella Intelligence, which is currently an advertiser on KrebsOnSecurity. One of these email addresses is connected to a LinkedIn profile for Oleg Iskhusnyh, who describes himself as a senior web developer living in Nur-Sultan, Kazakhstan.

Ingenico ePayments, Swedbank WooCommerce, Mondido Payments, and Reepay are just a few of the technologies and services linked to online payments that Iskusnyh has contributed code to, according to his Github page.

DON’T JUDGE A MAN UNTIL YOU’VE WALKED A MILE IN HIS SOCKS

Multiple parties appear to have shared the numerous “iboss” email addresses. When “iboss32@gmail.com” is searched in Constella’s database of compromised entities, it turns out that Oleg Iskusnyh, who goes by that name, established an internet profile with a Bronx, New York, phone number. Turning to that phone number (17187154415) reveals a profile with the first name “Dmitry” and the email address chepurko87@gmail.com that was disclosed in the breach at sales intelligence business Apollo.

A Dmitry Chepurko from Pavlodar, Kazakhstan, has a LinkedIn profile that is linked to the email in question. On his resume, Chepurko describes himself as a full stack engineer who most recently worked at the Omsk offices of the German shoe manufacturer KC Shoes (the aforementioned kc-shoes.ru). According to Chepurko’s résumé, he previously used the freelancing website Upwork to work independently for ten years.

Chepurko’s LinkedIn C.V. has a link to an inactive Upwork profile. But under an UpWork profile page for the Angry Coders team in Omsk, Russia, that same now-defunct Upwork account link is still displayed as the profile of a “Dmitry C.”

The Angry Coders responsible for Socks appear to have shoes in common. Escort is doubly amusing because, at least based on posts on some cybercrime forums, “shoe botting” or “sneaker bots”—the use of automated bot services and programs to facilitate the quick acquisition of highly sought-after, limited-edition designer athletic shoes—are a major reason people use these proxy services. These shoes can then be resold at exorbitant markups on secondary markets.

None of the Angry Coders team members responded to requests for comment, so it’s unclear if they still work at SocksEscort. There were certain links discovered during the above-mentioned study indicating the Angry Coders outsourced much of the marketing and customer assistance for their proxy service to programmers headquartered in India and Indonesia, where allegedly a big portion of its existing clients reside.

Reference