Joint international law enforcement measures have shut down two services accused of providing botnets of hacked internet-connected devices, including routers, to cybercriminals. US prosecutors also charged four people who were accused of hacking devices and running botnets.
On Wednesday, the AnyProxy and 5Socks websites were replaced by a notice that said they had been seized by the FBI as part of a law enforcement operation called “Operation Moonlander.” The notice said the law enforcement action was carried out by the FBI, the Dutch National Police (Politics), the U.S. Attorney’s Office for the Northern District of Oklahoma, and the U.S. Department of Justice.
Then on Friday, US prosecutors announced the dismantling of the botnet and indicting three Russians. Dmitrii Rabtsov, a Kazakh national. The four have been accused of making money from running a proxy and five socks by pretending to provide a legal proxy service, but prosecutors say it was built on a hacked router.
Chartkov, Morozov, Lovesoif and Shishkin, all living outside the United States, have targeted older models of wireless internet routers that know the vulnerability, and have compromised “thousands” of such devices, according to current accusations.
Controlling these routers, four individuals sold access to the proxies and 5Socks botnets, which have been active since 2004, according to the website and charging authorities.
A residential proxy network is not illegal in itself. These products are often used to provide customers with IP addresses to access geoblocked content and bypass government censorship. However, according to the Justice Department, by infecting thousands of vulnerable internet-connected devices and turning them into botnets used by cybercriminals, the proxy and 5sock have allegedly built a network of proxy (made up of residential IP addresses).
“This way, the internet traffic of botnet subscribers appeared to come from the IP address assigned to the compromised device, not the IP address assigned to the device the subscribers were actually using to carry out online activity,” read the indictment.
TechCrunch Events
Berkeley, California
|
June 5th
Book now
“The co-conspirators playing through 5Socks have published AnyProxy Botnet as a residential proxy service on social media and online discussion forums, including the Cybercrime Forum,” the indictment added. “Such housing proxy services are particularly useful for criminal hackers to provide anonymity when committing cybercrimes. Homes opposed to commercial IP addresses are generally assumed to be highly likely to be legal traffic by Internet security services.”
According to a press release from DOJ, the four are believed to have made more than $46 million from selling access to the botnet.
The FBI, DOJ and the Dutch National Police did not respond to requests for comment.
Ryan English, a researcher at Black Lotus Labs, told TechCrunch ahead of the domain attack that two services are being used for several types of abuse, including password spraying, launching distributed denial of service (DDO) attacks and AD scams.
On Friday, Black Lotus Labs, a team of researchers housed at cybersecurity firm Lumen, released a report that it helped authorities track the proxy network. As Black Lotus explained in its report, the botnet was “designed to provide anonymity online to malicious actors.”
English is confident that he and his colleagues are confident that every proxy and 5Sock are “a pool of the same proxies run by the same operator and run under a different name,” and that “the majority of botnets are end-making makers and models of all kinds.”
According to the report, based on Lumen’s global network visibility, the botnet had an “average 1,000 weeks of active proxy in over 80 countries.”
Spur, a company that tracks proxy services over the internet, is also working on operations. Riley Kilmer, co-founder of Spur, told TechCrunch that 5Socks is one of the small criminal networks the company tracks, but the network “has gained popularity in financial fraud.”