Hijacking Your Bandwidth How Proxyware Apps Open You Up to Risk

Is this true? To examine and understand the kind of risks a potential user might be exposed to by joining such programs, we recorded and analyzed network traffic from a large number of exit nodes of several different network bandwidth sharing services. From January to September 2022, we recorded traffic coming from exit nodes of some of these passive income companies and examined the nature of the traffic being funneled through the exit nodes. First of all, our observation confirmed that traffic from other app partners are funneled to our exit node and most of it is legitimate. We saw normal traffic, such as browsing news websites, listening to news streams, or even browsing online shopping websites. These connections demonstrated that some users were performing activities that are suspicious or possibly illegal in some countries. A summary of suspicious activities is given in the following table. We organized these activities by similarity and noted the proxy networks where we have observed these activities. Suspicious activity Traffic from Proxyware Applications Access to 3rd-party SMS and SMS PVA services Honeygain, PacketStream Accessing potential click-fraud or silent advertisement sites Honeygain SQL injection probing Honeygain, PacketStream, IPRoyal Pawns Attempts to access /etc/passwd and other security scans Honeygain, PacketStream Crawling government websites Honeygain Crawling of personally identifiable information IPRoyal Pawns Bulk registration of social media accounts IPRoyal Pawns In most cases, the application publishers probably would not be legally responsible for suspicious or malicious activities by the third-parties who use their proxy services. Those who installed the "Network bandwidth sharing" applications have no means of controlling or even monitoring what kind of traffic goes via their exit node. The table above outlines the malicious and suspicious activity we observed, and we go into further detail about these activities in this section. These bulk registered accounts are often then used in a variety of dubious operations: social engineering and scams against individual users, and abuse of sign-up and promotion campaigns of various online businesses that could result in thousands of dollars in monetary loss. Potential click fraud was another type of activity that we observed coming from these networks. Advertisers have to pay for ineffective clicks and the network traffic looks almost identical to a normal user clicking on the ads at home. Doing security scanning without proper authorization and doing SQL injection scans without a written permission from the website owner is criminal activity in many countries and may result in prosecution. This kind of traffic is risky and users who share their connections could potentially be involved in legal investigations. Another similar set of activities with similar risks that we observed is scans from tools. Needless to say, it is illegal to conduct such activities without written permission from the server's owner. There usually are terms of fair use requiring that users not place too many queries at the same time. Crawling of personal identifiable information might not be illegal in all countries, but this activity is questionable because we do not know how such information may be later misused. Such information included names, dates of birth, gender and CPF. Obviously, if such activity is investigated, the "Passive income" software users would be the first point of contact, as it would be their IP address that got logged on those websites. In the collected traffic, we have seen the registration of TikTok accounts with unconventional email addresses. Proxyware is similar to a Tor exit node because both funnel traffic from one user to another. These applications appear to install Proxyware functionality on devices, like Globalhop SDK, without clearly notifying users that their devices will be used as passive exit nodes. Some end-user license agreement documents may explicitly mention the inclusion of Globalhop SDK or the exit node functionality of the apps, while others do not. In our opinion, including notification only in the EULA-a document that few users ever read-doesn't provide fair notice to users that installing the app will result in unknown third parties using their devices as an exit node. In either case, such software still brings risks to their users, and the "Passive income" is only paid to the app developers. Walliant, an automated wallpaper changer Decacopy Clipboard Manager, a program designed to store users' recent copy-pasted content EasyAsVPN, unwanted software often installed by tricking users Taskbar System, an app that changes the color of your taskbar Relevant Knowledge, an adware RestMinder, a clock software that reminds users to take a rest Viewndow, software that keeps selected app window pinned Saferternet, DNS based web-filtering software The network traffic produced from these proxy networks is similar to the traffic produced by "Passive income" software, as both types of software serve as exit nodes for their providers. We have observed the following malicious / debatable activities. The IOC and traffic patterns are listed in the appendix. In this article, we have described how popular "Passive income" software advertised as "Network bandwidth sharing" uses the residential IP of their install base as exit nodes, and the risks that the malicious and dubious network traffic might bring to the users. By allowing anonymous persons to use your computer as an exit node, you bear the brunt of the risk if they perform illegal, abusive, or attack related actions. "Passive income" providers might have ethical policies in place, but we have seen no evidence of these providers policing the traffic being routed into the exit nodes. If they do, then the very obvious SQL injection traffic we've seen should have been filtered out. If these providers wish to improve their policies, we suggest that they be more upfront and make it clear to the software users that they do not control what their customers do. There are measures to ensure attacks and abuse are limited - such as strict implementation of traffic scanning, testing of certificates, and other techniques - but enforcement of these policies is key. Some of the app publishers that we've contacted about these concerns have responded that they protect their users through their know-your-customer practices for their app partners. All in all, potential users of these apps, especially with the current implementation of proxyware services, need to be aware that they are exposing themselves to unknown levels of risk in exchange for an uncertain and likely unstable amount of potential "Passive income". For people who want to learn more about "Passive income" apps or proxyware, we recommend this article from CISCO Talos and Resident Evil: Understanding Residential IP Proxy as a Dark Service. Traffic patterns of malicious/suspicious activities. The following table shows some of the traffic patterns of malicious/suspicious activities forwarded by the "Passive income" applications that we have observed.

This Cyber News was published on www.trendmicro.com. Publication date: Tue, 07 Feb 2023 11:56:02 +0000


Cyber News related to Hijacking Your Bandwidth How Proxyware Apps Open You Up to Risk

Hijacking Your Bandwidth How Proxyware Apps Open You Up to Risk - Is this true? To examine and understand the kind of risks a potential user might be exposed to by joining such programs, we recorded and analyzed network traffic from a large number of exit nodes of several different network bandwidth sharing ...
1 year ago Trendmicro.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
2 months ago Aws.amazon.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Microsoft: Storm-1283 Sent 927,000 Phishing Emails with Malicious OAuth Apps - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
New Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
11 months ago Hackread.com
Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
11 months ago Hackread.com
US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Hackread.com
Is it possible to use an external SSD to speed up your Mac - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
11 months ago Hackread.com
Defend Your Business: Testing Your Security Against QakBot and Black Basta Ransomware - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
6 months ago Securityboulevard.com
What is Biometric Security? Your Body Becomes Your Key - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
11 months ago Hackersonlineclub.com
Hackers Hijacking Popular YouTube Channels To Deliver IMalware - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
8 months ago Cybersecuritynews.com
New GambleForce Hacker Gang Hacks Targets with Open Source Tools - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
CapraRAT Mimics As Popular Android Apps Attacking Android Users - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
5 months ago Gbhackers.com
CocoaPods Flaw Exposes iOS & macOS Apps To Supply Chain Attacks - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
5 months ago Cybersecuritynews.com
Smart Helmets Flaw Exposed Millions to risk of Hacking and Surveillance - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
10 months ago Hackread.com
NIST AI Risk Management Framework: Developer's Handbook - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
10 months ago Feeds.dzone.com
Identifying third-party risk The Register - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
8 months ago Go.theregister.com
Lee County student Chromebooks hacked in 'Cyber Monday prank' - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Nbc-2.com
Google to Delete Inactive Gmail Accounts From Today - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Particle Network's Intent-Centric Approach Aims to Simplify and Secure Web3 - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Stellar Cyber Bridges Cybersecurity Skills Gap with First-of-Its-Kind University Program - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard APT - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com
Int'l Dog Breeding Org WALA Exposes 25GB of Pet Owners Data - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
1 year ago Hackread.com
Q3 2023 Cyber Attacks Statistics - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackmageddon.com
Fake Lockdown Mode Exposes iOS Users to Malware Attacks - Cookies, device or similar online identifiers together with other information can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here. Advertising ...
1 year ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)