Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Proxy Service. Show all posts
Proxy Service
Cyber Security DDoS DDOS Attacks Free VPN IP Address Network Security Privacy Risks Proxy Service

Free VPN Big Mama Raises Security Concerns Amid Cybercrime Links

 

Big Mama VPN, a free virtual private network app, is drawing scrutiny for its involvement in both legitimate and questionable online activities. The app, popular among Android users with over a million downloads, provides a free VPN service while also enabling users to sell access to their home internet connections. This service is marketed as a residential proxy, allowing buyers to use real IP addresses for activities ranging from ad verification to scraping pricing data. However, cybersecurity experts warn of significant risks tied to this dual functionality. 

Teenagers have recently gained attention for using Big Mama VPN to cheat in the virtual reality game Gorilla Tag. By side-loading the app onto Meta’s Oculus headsets, players exploit location delays to gain an unfair advantage. While this usage might seem relatively harmless, the real issue lies in how Big Mama’s residential proxy network operates. Researchers have linked the app to cybercrime forums where it is heavily promoted for use in activities such as distributed denial-of-service (DDoS) attacks, phishing campaigns, and botnets. Cybersecurity firm Trend Micro discovered that Meta VR headsets are among the most popular devices using Big Mama VPN, alongside Samsung and Xiaomi devices. 

They also identified a vulnerability in the VPN’s system, which could have allowed proxy users to access local networks. Big Mama reportedly addressed and fixed this flaw within a week of it being flagged. However, the larger problem persists: using Big Mama exposes users to significant privacy risks. When users download the VPN, they implicitly consent to having their internet connection routed for other users. This is outlined in the app’s terms and conditions, but many users fail to fully understand the implications. Through its proxy marketplace, Big Mama sells access to tens of thousands of IP addresses worldwide, accepting payments exclusively in cryptocurrency. 

Cybersecurity researchers at firms like Orange Cyberdefense and Kela have linked this marketplace to illicit activities, with over 1,000 posts about Big Mama appearing on cybercrime forums. Big Mama’s ambiguous ownership further complicates matters. While the company is registered in Romania, it previously listed an address in Wyoming. Its representative, using the alias Alex A, claims the company does not advertise on forums and logs user activity to cooperate with law enforcement. Despite these assurances, the app has been repeatedly flagged for its potential role in cyberattacks, including an incident reported by Cisco Talos. 

Free VPNs like Big Mama often come with hidden costs, sacrificing user privacy and security for financial viability. By selling access to residential proxies, Big Mama has opened doors for cybercriminals to exploit unsuspecting users’ internet connections. This serves as a cautionary tale about the dangers of free services in the digital age. Users are advised to exercise extreme caution when downloading apps, especially from unofficial sources, and to consider the potential trade-offs involved in using free VPN services.
Read more »
Proxy Service
Amadey Botnet malware PrivateLoader Proxy Service

Socks5Systemz Proxy Service Impacts 10,000 Systems Globally

 

A proxy botnet identified as 'Socks5Systemz' has been infecting computers across the globe with the 'PrivateLoader' and 'Amadey' malware loaders, with 10,000 infected devices currently. 

The malware infects computers and transforms them into traffic-forwarding proxies for malicious, illegal, or concealed traffic. It supplies this service to customers who pay between $1 and $140 per day in cryptocurrency to access it. 

Socks5Systemz is detailed in a BitSight report, which clarifies that the proxy botnet has been active since at least 2016, but has remained largely unnoticed until recently. 

The Socks5Systemz bot is propagated by the PrivateLoader and Amadey malware, which are frequently distributed through phishing, exploit kits, malvertizing, trojanized executables downloaded from P2P networks, and other techniques.

The BitSight samples are called 'previewer.exe,' and their task is to inject the proxy bot into the host's memory and establish persistence for it through a Windows service called 'ContentDWSvc.' 

The payload for the proxy bot is a 300 KB 32-bit DLL. It connects to its command and control (C2) server via a domain generation algorithm (DGA) system and sends profiling information about the infected machine. 

In response, the C2 can issue one of the following commands: 

  • Idle: Take no action.
  • connect: Establish a connection to a backconnect server. 
  • disconnect: This command disconnects you from the backconnect server. 
  • updips: Update the list of IP addresses authorized to send traffic. 
  • upduris: Not yet implemented. 

The connect command, which instructs the bot to establish a backconnect server connection over port 1074/TCP, is critical. 

The infected device can now be used as a proxy server and sold to other threat actors once connected to the threat actors' infrastructure. It uses fields to figure out the IP address, proxy password, list of blocked ports, and so on when connecting to the backconnect server. 

These field parameters ensure that only bots on the allowlist with the required login credentials can connect with the control servers, preventing unauthorised attempts. 

Impact of illegal business

A large control infrastructure comprising 53 proxy bot, backconnect, DNS, and address acquisition servers spread largely across France and Europe (Netherlands, Sweden, Bulgaria) was mapped by BitSight. 

There are two subscription tiers for Socks5Systemz proxying services: "Standard" and "VIP." Customers can pay for their subscriptions using the anonymous (no KYC) payment gateway "Cryptomus." 

In order to be added to the bot's allowlist, subscribers must specify the IP address through which the proxied traffic will originate. 

VIP users are able to use 100–5000 threads and describe the proxy type as HTTP, SOCKS4, or SOCKS5, while standard subscribers are restricted to a single thread and proxy type. 

Unauthorised bandwidth hijacking and internet security are significantly affected by the profitable business of residential proxy botnets. These services are very popular because they are often used for circumventing geo-restrictions and shopping bots. 

A vast proxy network with over 400,000 nodes was exposed by AT&T analysts in August. Unaware Windows and macOS users were acting as exit nodes in this network, channelling other people's internet traffic.
Read more »
Subscribe to: Posts (Atom)