Authorities have disrupted a massive cybercrime platform, SocksEscort, which quietly hijacked 369,000 WiFi routers and other devices, and helped hackers hide their malicious traffic behind residential IP addresses. People were often unaware that their IPs were being used for cybercrime.
SocksEscort marketed itself as a residential proxy network, offering access to ordinary home internet connections.
The platform offered “static residential IPs with unlimited bandwidth” and sold packages ranging from $15 a month for 30 household IP connections to $200 a month for access to 5,000 proxies.
The US Department of Justice (DoJ) announced that law enforcement in eight countries collaborated to dismantle SocksEscort. The residential proxy network was “used to exploit thousands of residential routers worldwide and commit large-scale fraud.”
The authorities seized 34 domains and 23 servers in seven countries, while the US froze a total of $3.5 million in cryptocurrency.
“The infected modems used to offer the proxy service have been disconnected from the service,” Europol said.
The network routed malicious traffic mostly through compromised WiFi routers. The platform used AVrecon malware to target around 1,200 different device models, most of which were older or unpatched devices manufactured by Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link, and Zyxel.
In total, SocksEscort is believed to have compromised and sold access to approximately 369,000 devices since 2020.
“Cybercriminals used the access they purchased on SocksEscort to conceal their true originating IP addresses and locations, which furthered frauds like takeovers of US bank and cryptocurrency accounts and fraudulent unemployment insurance claims,” the DoJ explained in a press release.
Before the takedown operation, SocksEscort offered access to approximately 8,000 routers, 2,500 of which were in the United States.
Millions in losses
The criminal service platform allegedly furthered financial scams, helping cybercriminals to hijack bank and cryptocurrency accounts, or file fraudulent unemployment insurance claims.
“These frauds cost Americans millions of dollars,” the DoJ said in a press release.
The provided examples include a customer of a cryptocurrency exchange in New York who was defrauded of $1 million in cryptocurrency, a manufacturing company in Pennsylvania that lost $700,000, and US service members with MILITARY STAR cards who were defrauded of $100,000.
Authorities estimate that SocksEscort service collected more than €5 million ($5.72 million) from customers of the proxy services. The platform relied on anonymous cryptocurrency payments to sell its plans.
“Cybercrime thrives on anonymity. Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content, and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale,” said Catherine De Bolle, Executive Director at Europol.
The SocksEscort’s botnet of infected devices was also exploited to facilitate ransomware, DDoS attacks, distribute child sexual abuse material (CSAM), and commit other crimes.
How to protect your router?
Attackers targeted routers that no longer receive regular security updates and are exposed to known but unpatched vulnerabilities. The AVrecon malware primarily infects routers and IoT devices that lack antivirus (AV), Endpoint Detection and Response (EDR), or other security software.
“Threat actors are aware of these vulnerabilities and exploit them to install malware, gain control of the device, and sell access to them as residential proxies,” the FBI said in a flash advisory, detailing indicators of compromise and recommendations.
FBI urges users to keep all operating systems, software, and firmware up to date, especially when the systems are exposed to the open internet, such as small-office/home-office (SOHO) routers. Many of these devices do not apply security or critical updates automatically.
“If a device is considered end-of-life by its manufacturer and is no longer supported, consider replacing the device with a model that is still receiving security updates,” the FBI recommends.
“Ensure that features such as remote administration are disabled or consider using Access Control Lists or firewall rules to restrict access to exposed ports and services.”
Logs and network monitoring tools might help identify suspicious network traffic from malicious IPs.
The FBI also listed the top devices abused by SocksEscort’s botnet. These include DIR-818LW, DIR-850L, and DIR-860L wireless routers from D-Link, two models of Hikvision IP cameras, Netgear DGN2200v4 and R7000 routers, TP Link’s Archer C20, TL-WR840N, TL-WR849N, WR841N, as well as 9 router models from Zyxel, including VMG3925-B10A and VMG3925-B10C.
Many such routers are often deployed by internet service providers.
Despite the disruption of SocksEscort, vulnerable routers remain attractive targets for cybercriminals running other botnets.
“Many individuals do not realize their internet connection could be used by someone else without their permission. Residential proxies obtain residential IP addresses from devices in two ways: The owner of the device provides consent, or the owner of the device does not provide consent and is unaware their IP address is being used,” the FBI said.
How can you end up in a botnet?
Direct malware attacks are just one way cybercriminals can gain access to your home network. The FBI warns that many devices end up powering residential proxy networks after the owners install supposedly free apps.
Free VPN services often have hidden terms of service that enroll user devices in a residential proxy network without their permission.
Some devices, often cheap, off-brand knockoffs from China, also come preinstalled with malware.
“Criminals gain unauthorized access to home networks through compromised IoT devices, such as TV streaming devices, digital projectors or picture frames, aftermarket vehicle infotainment systems, and other products connected to the internet. Criminals configure the device with malicious software prior to it being purchased or infect the device with a backdoor while it downloads required applications,” the FBI said.
Proxy services also convince people to download apps that promise to pay them for their internet bandwidth.
The FBI urges users to avoid any streaming devices claiming to provide“ free sports, TV shows, or movies, refrain from downloading pirated software, as it often includes hidden malware that turns devices into proxies, and exercise caution before downloading free VPN applications.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked