The FBI, in cooperation with law enforcement agencies from Germany, the United Kingdom and the Netherlands, has taken down a large Russian botnet. The botnet, also better known as RSOCKS, had infected millions of devices worldwide. In addition to individuals, computers and IoT applications of a university, hotel and television studio had also been hacked.
So writes the US Department of Justice in a press release.
A botnet is a network of infected computers or other (mobile) devices. An infected device is also called a zombie, the person who manages the network a botmaster. Owners often do not realize that their hardware is part of a botnet. The administrator uses the infected devices to carry out a Distributed Denial of Service or DDoS attack, for example. This takes down servers and Web sites by bombarding them with massive amounts of connection requests.
In addition to a DDoS attack, a botnet can also be used to flood Internet users with spam messages. To do this, perpetrators use so-called Command & Control servers (C&C servers). These servers are the nerve center or headquarters from which hackers receive stolen data and send spam. With spam messages, scammers try to get as much personal data as possible from unsuspecting victims. This this form of cybercrime is also called phishing.
RSOCKS' botmaster focused primarily on devices with Internet of Things (IoT) applications. These are products that are connected to the Internet and communicate with other devices along those lines. Think routers, devices for streaming videos and music, smart cameras and control systems used in business. These devices have their own IP address for a reason.
Gradually, the botnet's administrator expanded its network to include Android devices and traditional computers. At one point, RSOCKS consisted of millions of infected devices. With these, the botmaster performed several brute force attacks. In a brute force attack, cybercriminals attempt to hack accounts by entering an unlimited number of usernames and password combinations until there is a match.
Once part of the RSOCKS botnet, infected devices were used as proxy services. With a proxy, it is possible to hide your own IP address and surf the Internet anonymously. In effect, a proxy acts as an intermediate station between you and the Internet to hide your identity and location from the outside world.
In the case of RSOCKS, the victims did not know that their devices were being used to reroute Internet traffic through their IP addresses. For a fee, hackers and cybercriminals could use infected devices as proxy services. Customers could rent these proxies for a day, a week or a month. RSOCKS proxies cost only $30 per day, which gave you access to 2,000 proxies. For $200 a day, malicious actors could get out to 90,000 proxies.
After purchase, customers could download a list of IP addresses and ports linked to one or more of the botnet's backend servers. In this way, users could redirect their (mostly malicious) Internet traffic through infected devices of unsuspecting victims to mask or hide their identity and location. According to the U.S. Department of Justice, customers attempted to use RSOCKS proxies to launch attacks on authentication services and send phishing messages.
The website on which the proxies were offered for sale has been taken offline. In addition to the FBI, enforcement agencies from Germany, the United Kingdom and the Netherlands assisted. "This operation disrupted a highly sophisticated Russian-based criminal organization that was conducting cyber intrusions in the United States and abroad," an FBI agent explained.
