Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,467
- Points
- 113
American researchers have once again paid attention to the popular SocksEscort proxy service. Past attempts to deanonymize its creators have ended in nothing, but this time independent information security journalist Brian Krebs managed to move a little further.
The formal reason for the investigation was the discovery of a remote access Trojan based on Linux, called AVrecon. With its help, the army of botnet devices, which consists mainly of routers, is replenished. Behind a network of 10,000 devices around the world, according to cybersecurity experts, are the creators of SocksEscort.
“SocksEscort started in 2009 as super-socks[.]com, a Russian-language service that sold access to thousands of hacked computers that could be used to proxy traffic. The service was promoted on darknet sites by a person with the nicknames SSC and super-socks, as well as the email address michvatt@gmail.com,” Krebs wrote.
According to DomainTools.com, a very similar michdomain@gmail.com email address was used to register SocksEscort[.]com, super-socks[.]com, and several other proxy-related domains. According to Intel 471, the nickname SSC first appeared in 2009 in the Russian-speaking hacker community Antichat. There, its owner asked the community for help in checking the security of the site myiptest[.]com, owned by the author of the post. This resource told users if their proxy address was on any security or anti-spam lists.
Myiptest[.]com has been disabled for a long time, however, thanks to its cached copy, we managed to find out that its HTML code contained the Google Analytics code US-2665744, which was also used on a good dozen other portals. All of them provided services similar to those of myiptest[.]com. One of these domains is sscompany[.]net, the site of an organization that maintains servers and promotes outsourced server administration solutions.
From the leaked logs of the hacked Antichat forum, it can be seen that SSC registered using the IP address 71.229.207.214. It was also applied to the Deem3n® account, which was active between 2005 and 2009. There was a user on the Searchengines.guru webmaster forum with exactly the same nickname. His signature contained information that he runs a popular community of programmers in Moldova called sysadmin[.]md and works as a system administrator at sscompany[.]net.
Curiously, this same Google Analytics code is now on the home pages of wiremo[.]co and a VPN provider called HideIPVPN[.]com. Wiremo sells software and services to help site owners better manage customer reviews. The Wiremo contact page lists Server Management LLC in Wilmington, Delaware as the parent company. This company is listed in the App Store as the owner of HideIPVPN.
When asked about the company's explicit connection with SocksEscort, Wiremo replied that they did not control this domain and none of the team was related to the proxy service. Nevertheless, it can be concluded that the owner of the company began his journey in Moldova and can continue it already in the United States.
The formal reason for the investigation was the discovery of a remote access Trojan based on Linux, called AVrecon. With its help, the army of botnet devices, which consists mainly of routers, is replenished. Behind a network of 10,000 devices around the world, according to cybersecurity experts, are the creators of SocksEscort.
“SocksEscort started in 2009 as super-socks[.]com, a Russian-language service that sold access to thousands of hacked computers that could be used to proxy traffic. The service was promoted on darknet sites by a person with the nicknames SSC and super-socks, as well as the email address michvatt@gmail.com,” Krebs wrote.
According to DomainTools.com, a very similar michdomain@gmail.com email address was used to register SocksEscort[.]com, super-socks[.]com, and several other proxy-related domains. According to Intel 471, the nickname SSC first appeared in 2009 in the Russian-speaking hacker community Antichat. There, its owner asked the community for help in checking the security of the site myiptest[.]com, owned by the author of the post. This resource told users if their proxy address was on any security or anti-spam lists.
Myiptest[.]com has been disabled for a long time, however, thanks to its cached copy, we managed to find out that its HTML code contained the Google Analytics code US-2665744, which was also used on a good dozen other portals. All of them provided services similar to those of myiptest[.]com. One of these domains is sscompany[.]net, the site of an organization that maintains servers and promotes outsourced server administration solutions.
From the leaked logs of the hacked Antichat forum, it can be seen that SSC registered using the IP address 71.229.207.214. It was also applied to the Deem3n® account, which was active between 2005 and 2009. There was a user on the Searchengines.guru webmaster forum with exactly the same nickname. His signature contained information that he runs a popular community of programmers in Moldova called sysadmin[.]md and works as a system administrator at sscompany[.]net.
Curiously, this same Google Analytics code is now on the home pages of wiremo[.]co and a VPN provider called HideIPVPN[.]com. Wiremo sells software and services to help site owners better manage customer reviews. The Wiremo contact page lists Server Management LLC in Wilmington, Delaware as the parent company. This company is listed in the App Store as the owner of HideIPVPN.
When asked about the company's explicit connection with SocksEscort, Wiremo replied that they did not control this domain and none of the team was related to the proxy service. Nevertheless, it can be concluded that the owner of the company began his journey in Moldova and can continue it already in the United States.
