Teacher
Professional
- Messages
- 2,670
- Reaction score
- 814
- Points
- 113
American researchers again showed attention to the popular proxy service SocksEscort. Past attempts to deanonymize its creators ended in nothing, but this time independent information security journalist Brian Krebs managed to move a little further.
The formal reason for the investigation was the discovery of a remote access Trojan based on Linux, called AVrecon. With its help, the army of botnet devices, consisting mainly of routers, is replenished. According to cybersecurity experts, the creators of SocksEscort are behind a network of 10,000 devices around the world.
"SocksEscort started in 2009 as super-socks[.com, a Russian-language service that sold access to thousands of hacked computers that could be used for proxy traffic. The service was promoted on darknet platforms by a person with the nicknames SSC and super-socks, as well as an email address michvatt@gmail.com", - Krebs wrote.
According to DomainTools.com, very similar email address michdomain@gmail.com used for registering SocksEscort [.] com, super-socks[.] com and several other domains associated with the proxy. According to Intel 471, the nickname SSC first appeared in 2009 in the Russian-speaking hacker community Antichat. There, its owner asked for help from the community in checking the security of the myiptest[.]com site owned by the author of the post. This resource informed users whether their proxy address was included in any security or anti-spam lists.
Myiptest[.com has been disabled for a long time, but thanks to its cached copy, it was possible to find out that the Google Analytics US-2665744 code was present in its HTML code, which was also used on a good dozen other portals. All of them provided services similar to those of myiptest [.] com. One of these domains is sscompany[.]net, the website of an organization that supports servers and promotes outsourcing solutions for their administration.
From the leaked logs of the hacked Antichat forum, we can find out that SSC was registered using the IP address 71.229.207.214. It was also used for the Deem3n® account, which was active between 2005 and 2009. On the Searchengines webmaster forum.guru was a user with the exact same nickname. His signature contained information that he runs a popular community of programmers in Moldova called sysadmin[.] md and works as a system administrator in sscompany [.] net.
Curiously, the same Google Analytics code is now present on wiremo's home pages[.] co and a VPN provider called HideIPVPN [.] com. Wiremo sells software and services that help site owners better manage customer reviews. The feedback page on the Wiremo website lists Server Management LLC in Wilmington, Delaware as the parent company. This particular company is listed in the App Store as the owner of HideIPVPN.
When asked about the company's apparent connection with SocksEscort, Wiremo said that they do not control this domain and none of the team has anything to do with the proxy service. Nevertheless, it can be concluded that the owner of the company started his career in Moldova and can continue it already in the United States.
• Source: https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/
The formal reason for the investigation was the discovery of a remote access Trojan based on Linux, called AVrecon. With its help, the army of botnet devices, consisting mainly of routers, is replenished. According to cybersecurity experts, the creators of SocksEscort are behind a network of 10,000 devices around the world.
"SocksEscort started in 2009 as super-socks[.com, a Russian-language service that sold access to thousands of hacked computers that could be used for proxy traffic. The service was promoted on darknet platforms by a person with the nicknames SSC and super-socks, as well as an email address michvatt@gmail.com", - Krebs wrote.
According to DomainTools.com, very similar email address michdomain@gmail.com used for registering SocksEscort [.] com, super-socks[.] com and several other domains associated with the proxy. According to Intel 471, the nickname SSC first appeared in 2009 in the Russian-speaking hacker community Antichat. There, its owner asked for help from the community in checking the security of the myiptest[.]com site owned by the author of the post. This resource informed users whether their proxy address was included in any security or anti-spam lists.
Myiptest[.com has been disabled for a long time, but thanks to its cached copy, it was possible to find out that the Google Analytics US-2665744 code was present in its HTML code, which was also used on a good dozen other portals. All of them provided services similar to those of myiptest [.] com. One of these domains is sscompany[.]net, the website of an organization that supports servers and promotes outsourcing solutions for their administration.
From the leaked logs of the hacked Antichat forum, we can find out that SSC was registered using the IP address 71.229.207.214. It was also used for the Deem3n® account, which was active between 2005 and 2009. On the Searchengines webmaster forum.guru was a user with the exact same nickname. His signature contained information that he runs a popular community of programmers in Moldova called sysadmin[.] md and works as a system administrator in sscompany [.] net.
Curiously, the same Google Analytics code is now present on wiremo's home pages[.] co and a VPN provider called HideIPVPN [.] com. Wiremo sells software and services that help site owners better manage customer reviews. The feedback page on the Wiremo website lists Server Management LLC in Wilmington, Delaware as the parent company. This particular company is listed in the App Store as the owner of HideIPVPN.
When asked about the company's apparent connection with SocksEscort, Wiremo said that they do not control this domain and none of the team has anything to do with the proxy service. Nevertheless, it can be concluded that the owner of the company started his career in Moldova and can continue it already in the United States.
• Source: https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/
