March 20, 2013 By Dancho Danchev

Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 2004

By Dancho Danchev

On the majority of occasions, cybercriminals will take basic OPSEC (Operational Security) precautions when using the Internet, in an attempt to make it harder for law enforcement to keep track of their fraudulent activities. Over the years, these techniques have greatly evolved to include hybrid online anonymity solutions offered exclusively to cybercriminals internationally.

In this post, I’ll profile a cybercrime-friendly service that’s been offering hacked PCs to be converted into “anonymization stepping-stones” since 2004.

More details:

Malware_Infected_Host_Stepping_Stone_Socks_Server_Anonymity_Cybercrime

The service offers a self-serving DIY Web interface, allowing potential cybercriminals looking for ways to hide their online activities, to not only gain access to malware-infected hosts internationally, but to “chain” multiple hosts in an attempt to make it even harder to law enforcement to track them down. According to its description, 4000 new “Socks4/5 proxy servers” are added to the service on a daily basis. And in order to make it even easier for cybercriminals to use the service, it features a custom coded Proxy Management Software which greatly assists cybercriminals interacting with the service.

Sample screenshot of the DIY Web interface:

Malware_Infected_Host_Stepping_Stone_Socks_Server_Anonymity_Cybercrime_02

Sample screenshot of the service-branded Proxy Management Software:

Malware_Infected_Host_Stepping_Stone_Socks_Server_Anonymity_Cybercrime_01

The service allows cybercriminals to easily “autochange” the proxies in use, and automatically rotate them in an attempt to make their activities nearly impossible to trace.

Sample screenshot of a connected Socks 4/5 proxy in action:

Malware_Infected_Host_Stepping_Stone_Socks_Server_Anonymity_Cybercrime_03

Sample statistics of malware-infected hosts internationally, to be used as “anonymization stepping-stones”:

Malware_Infected_Host_Stepping_Stone_Socks_Server_Anonymity_Cybercrime_04

Sample geolocated malware-infected hosts, courtesy of the cybercrime-friendly service:

Malware_Infected_Host_Stepping_Stone_Socks_Server_Anonymity_Cybercrime_05

The prices are as follows:

  • 150 proxies per month – $25
  • 300 proxies per month – $40
  • 600 proxies per month – $50
  • 900 proxies per month – $65
  • 1500 proxies per month – $95

We’ll continue monitoring the development of this service, and post updates as soon as new developments emerge.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Trackbacks

  1. […] as a foundation for the success of their fraudulent or malicious campaigns, as well as for anonymization ‘stepping stones’ tactics in an attempt to forward the risk of getting tracked down through a series of network connections […]

  2. […] Bitcoin miners, complete pseudo-randomization of multiple variables, as well as support for Socks proxy servers, allowing the cybercriminals behind it to add additional layers of anonymity to their […]

  3. […] syndicate lists of free/paid proxies – think malware-infected hosts – adding an additional layer of anonymity in the process of uploading their doorways/malicious scripts on any given FTP server whose […]

  4. […] – since the tool profiled in this post doesn’t support proxies (which are basically malware-infected hosts), it means that there’s a high probability that the brute-forcing approach will trigger a […]

true