An international coalition of law enforcement agencies has successfully dismantled the SocksEscort proxy network, a criminal enterprise that exploited residential routers worldwide. This sophisticated operation, authorized by the courts, targeted a botnet that had enlisted thousands of these devices to facilitate large-scale fraudulent activities.
SocksEscort’s Extensive Reach
The U.S. Department of Justice revealed that SocksEscort infected internet routers with malware, enabling it to route internet traffic through compromised devices. This access was then sold to customers, allowing them to disguise their online activities. Since its emergence in 2020, SocksEscort offered access to approximately 369,000 IP addresses across 163 countries, with a significant concentration of affected routers in the United States.
Operating under the guise of selling “static residential IPs with unlimited bandwidth,” SocksEscort’s service was designed to bypass spam blocklists, offering sizable proxy packages at various price points. Its ultimate objective was to obscure the true location and identity of its users, facilitating criminal acts without detection.
Impact and Investigation
The investigation into SocksEscort uncovered a range of victims, including a New York-based cryptocurrency exchange customer defrauded of $1 million and a Pennsylvania manufacturing business that lost $700,000. Military personnel were also targeted, with $100,000 stolen from MILITARY STAR cardholders.
The operation, dubbed Operation Lightning, was coordinated by Europol and involved law enforcement from multiple countries, including the U.S., Austria, and Germany. The crackdown resulted in the shutdown of 34 domains and 23 servers in seven countries, alongside the freezing of $3.5 million in cryptocurrency assets.
Technical Details and Threats
Key to SocksEscort’s functionality was the AVrecon malware, actively exploited since at least May 2021. This malware targeted around 1,200 device models, including those from Cisco and D-Link, using vulnerabilities like Remote Code Execution. The FBI noted the malware’s ability to permanently infect devices by modifying firmware to ensure persistent access.
AVrecon allowed attackers to control infected devices remotely and execute various payloads, effectively turning them into proxies for criminal purposes. This capability made SocksEscort a significant threat, particularly as it was marketed exclusively to malicious actors.
In conclusion, the dismantling of the SocksEscort botnet marks a significant victory in the fight against cybercrime. Authorities continue to monitor such threats, emphasizing the importance of securing internet-connected devices to prevent future exploitation.
