Cops from eight countries this week disrupted SocksEscort, a residential proxy service used by criminals to compromise hundreds of thousands of routers worldwide and carry out digital fraud, costing businesses and consumers millions.
"SocksEscort is responsible for tens of millions of dollars in losses due to the activity and utilizing ransomware, ad fraud, account takeovers, identity theft, business email compromises, romance scams, and password spraying, among many others," FBI Deputy Assistant Director Jason Bilnoski told The Register in an exclusive interview.
On Wednesday, the FBI and law enforcement agencies from Austria, France, and the Netherlands seized 34 domains and 23 servers across seven countries as part of Operation Lightning. The US also froze about $3.5 million in cryptocurrency linked to SocksEscort. Private-sector organizations - Lumen's Black Lotus Labs and the Shadowserver Foundation - participated in the takedown.
"The servers that we seized through our law enforcement operation will most definitely lead us to additional evidence that we will allow us to pursue further criminal activity," Bilnoski said, adding that the FBI and friends continue to investigate downstream criminals who used SocksEscort's proxy network. "We know the customer base of SocksEscort had approximately 124,000 users."
These types of proxy services hack residential routers and small business devices, and then sell access to the compromised machines for large-scale fraud and digital crimes.
Using compromised routers allows miscreants to mask their true online location - and their criminal activities - by making it appear to originate from a legitimate home or small-business user.
SocksEscort infected home and small business internet routers with a botnet called AVRecon. The malware allows criminals to remotely control the infected device, and direct internet traffic through the compromised routers.
Since the summer of 2020, SocksEscort has sold access to about 369,000 different IP addresses, according to the US Justice Department. As of last month, the criminal network listed access to about 8,000 infected routers to its customers; 2,500 of those were in the US.
Some of the victims include a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency, a Pennsylvania manufacturing business defrauded of $700,000, and current and former US service members with Military Star cards who were defrauded out of $100,000.
Lumen's Black Lotus Labs in 2023 called AVRecon "one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history."
"The proliferation of these illicit residential proxies in recent years such as SocksEscort represent a formative challenge for our government and private-sector partners," Bilnoski said. "Operations such as this one have a widespread and positive impact on the financial institutions, internet service providers, as well as individuals and small businesses."
To combat ongoing cyberthreats such as proxy services, the FBI last month launched Operation Winter Shield with 10 key defensive measures that organizations can take to improve their security posture. One of these - track and retire end-of-life tech on a defined schedule - is especially important to mitigate the risk of outdated routers being turned into residential proxy networks. ®
Source: The register