- "Operation Lightning" dismantles SocksEscort proxy botnet
- 369,000+ routers and IoT devices compromised across 163 countries
- Law enforcement seized domains, servers, and $3.5M in crypto
An international law enforcement crackdown called “Operation Lightning” took down SocksEscort, a malicious residential proxy network which counted thousands of devices and defrauded people out of millions of dollars.
A malicious residential proxy is a service that routes internet traffic through real home devices and IP addresses that were previously infected by malware. Attackers use these proxies to hide their true location and appear like normal users online, which helps them evade security systems and engage in different malicious activities such as credential stuffing, ad fraud, account takeover, and more.
A Europol press release noted SocksEscort compromised more than 369,000 routers and Internet of Things (IoT) devices in 163 countries, and offered its customers more than 35,000 proxies in recent years. The international law enforcement agency said Operation Lightning took down 34 domains and 23 servers in seven countries, while 3.5 million in cryptocurrency was seized in the United States.
Infected with AVrecon
Discussing the many victims of SocksEscort, the US Attorney's Office for the Eastern District of California said a cryptocurrency exchange customer in New York was defrauded out of $1 million, while a manufacturing business in Pennsylvania lost $700,000. Both current and former US service members with Military Star cards were defrauded out of $100,000, as well.
Europol said the compromised devices were infected with malware, through a vulnerability “in the residential modems of a specific brand”, without saying which brand that was.
An earlier Krebs report said the crooks were deploying the AVrecon malware against small office and home office routers. The same report stated that SocksEscort was 12 years old at the time, which means it was 15 years old when it was finally taken down.
During its analysis, Black Lotus Labs described SocksEscort as “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history.”
Via The Register
