Is this true? To examine and understand the kind of risks a potential user might be exposed to by joining such programs, we recorded and analyzed network traffic from a large number of exit nodes of several different network bandwidth sharing services. From January to September 2022, we recorded traffic coming from exit nodes of some of these passive income companies and examined the nature of the traffic being funneled through the exit nodes. First of all, our observation confirmed that traffic from other app partners are funneled to our exit node and most of it is legitimate. We saw normal traffic, such as browsing news websites, listening to news streams, or even browsing online shopping websites. These connections demonstrated that some users were performing activities that are suspicious or possibly illegal in some countries. A summary of suspicious activities is given in the following table. We organized these activities by similarity and noted the proxy networks where we have observed these activities. Suspicious activity Traffic from Proxyware Applications Access to 3rd-party SMS and SMS PVA services Honeygain, PacketStream Accessing potential click-fraud or silent advertisement sites Honeygain SQL injection probing Honeygain, PacketStream, IPRoyal Pawns Attempts to access /etc/passwd and other security scans Honeygain, PacketStream Crawling government websites Honeygain Crawling of personally identifiable information IPRoyal Pawns Bulk registration of social media accounts IPRoyal Pawns In most cases, the application publishers probably would not be legally responsible for suspicious or malicious activities by the third-parties who use their proxy services. Those who installed the "Network bandwidth sharing" applications have no means of controlling or even monitoring what kind of traffic goes via their exit node. The table above outlines the malicious and suspicious activity we observed, and we go into further detail about these activities in this section. These bulk registered accounts are often then used in a variety of dubious operations: social engineering and scams against individual users, and abuse of sign-up and promotion campaigns of various online businesses that could result in thousands of dollars in monetary loss. Potential click fraud was another type of activity that we observed coming from these networks. Advertisers have to pay for ineffective clicks and the network traffic looks almost identical to a normal user clicking on the ads at home. Doing security scanning without proper authorization and doing SQL injection scans without a written permission from the website owner is criminal activity in many countries and may result in prosecution. This kind of traffic is risky and users who share their connections could potentially be involved in legal investigations. Another similar set of activities with similar risks that we observed is scans from tools. Needless to say, it is illegal to conduct such activities without written permission from the server's owner. There usually are terms of fair use requiring that users not place too many queries at the same time. Crawling of personal identifiable information might not be illegal in all countries, but this activity is questionable because we do not know how such information may be later misused. Such information included names, dates of birth, gender and CPF. Obviously, if such activity is investigated, the "Passive income" software users would be the first point of contact, as it would be their IP address that got logged on those websites. In the collected traffic, we have seen the registration of TikTok accounts with unconventional email addresses. Proxyware is similar to a Tor exit node because both funnel traffic from one user to another. These applications appear to install Proxyware functionality on devices, like Globalhop SDK, without clearly notifying users that their devices will be used as passive exit nodes. Some end-user license agreement documents may explicitly mention the inclusion of Globalhop SDK or the exit node functionality of the apps, while others do not. In our opinion, including notification only in the EULA-a document that few users ever read-doesn't provide fair notice to users that installing the app will result in unknown third parties using their devices as an exit node. In either case, such software still brings risks to their users, and the "Passive income" is only paid to the app developers. Walliant, an automated wallpaper changer Decacopy Clipboard Manager, a program designed to store users' recent copy-pasted content EasyAsVPN, unwanted software often installed by tricking users Taskbar System, an app that changes the color of your taskbar Relevant Knowledge, an adware RestMinder, a clock software that reminds users to take a rest Viewndow, software that keeps selected app window pinned Saferternet, DNS based web-filtering software The network traffic produced from these proxy networks is similar to the traffic produced by "Passive income" software, as both types of software serve as exit nodes for their providers. We have observed the following malicious / debatable activities. The IOC and traffic patterns are listed in the appendix. In this article, we have described how popular "Passive income" software advertised as "Network bandwidth sharing" uses the residential IP of their install base as exit nodes, and the risks that the malicious and dubious network traffic might bring to the users. By allowing anonymous persons to use your computer as an exit node, you bear the brunt of the risk if they perform illegal, abusive, or attack related actions. "Passive income" providers might have ethical policies in place, but we have seen no evidence of these providers policing the traffic being routed into the exit nodes. If they do, then the very obvious SQL injection traffic we've seen should have been filtered out. If these providers wish to improve their policies, we suggest that they be more upfront and make it clear to the software users that they do not control what their customers do. There are measures to ensure attacks and abuse are limited - such as strict implementation of traffic scanning, testing of certificates, and other techniques - but enforcement of these policies is key. Some of the app publishers that we've contacted about these concerns have responded that they protect their users through their know-your-customer practices for their app partners. All in all, potential users of these apps, especially with the current implementation of proxyware services, need to be aware that they are exposing themselves to unknown levels of risk in exchange for an uncertain and likely unstable amount of potential "Passive income". For people who want to learn more about "Passive income" apps or proxyware, we recommend this article from CISCO Talos and Resident Evil: Understanding Residential IP Proxy as a Dark Service. Traffic patterns of malicious/suspicious activities. The following table shows some of the traffic patterns of malicious/suspicious activities forwarded by the "Passive income" applications that we have observed.
This Cyber News was published on www.trendmicro.com. Publication date: Tue, 07 Feb 2023 11:56:02 +0000