Hackers Steal and Sell Victims' Bandwidth Using ProxyjackingAttackers List Compromised Servers on Bandwidth-Sharing Platforms for Profit
Cyber crooks are performing server hijacking, or proxyjacking, to make money from the sale of their victims' compromised bandwidth on proxy networks, a new report by security firm Akamai finds.
Proxyjacking involves attackers replacing an authentic webpage to drive traffic to an imitation site. While the tactic has been active for a while, Akamai researchers say that in recent months a growing number of crooks are switching from crimes such as cryptomining and cryptojacking to proxyjacking.
"With proxyjacking, the attacker doesn't just steal resources but also leverages the victim's unused bandwidth," the report's author, researcher Allen West, said. "This allows for the attacker to monetize an unsuspecting victim's extra bandwidth, with only a fraction of the resource load that would be required for cryptomining, with less chance of discovery," says West.
Among hacking groups deploying this technique are Meris and Anonymous Sudan, who are targeting vulnerable secure shell protocols or SSH servers to gain remote access. The hackers then stealthily assign the compromised networks to proxy network services on bandwidth-sharing platforms such as Peer2Proxy or Honeygain, which pays its users for sharing their unused internet bandwidth.
In recent campaigns uncovered by Akamai, hackers began their activities by infecting multiple SSH connections set as honeypots by Akamai researchers. The attackers then inserted a malicious code to servers, which then turned the compromised system into a node in the Peer2Profit and Honeygain proxy network.
The hackers then routed the malicious traffic through multiple infected nodes to disguise their activities. In the final stage of the attacks, the hackers launched Docker services that share the victim's bandwidth for profit.
The researchers said the technique could become critical as it requires minimum computing equipment and lower internet bandwidth, making it harder to detect. To avoid potential attacks using this technique, Akamai's researchers recommend patching systems regularly, enabling multifactor authentication and checking for unprompted activities relating to Docker services.
"Open proxies serve as a crucial tool in the cybercriminal's arsenal," West said. "Reliance on these proxy networking companies to properly manage their partners is a very poor defense mechanism and weak assurance."