Someone Call 911: A Proxy Service Died
It’s been over two months since the malware proxy service 911re imploded and there have been no clear frontrunners to fill the void. A few contenders looked up to the task, SocksEscort and Yilu Proxy, but SocksEscort quickly closed their doors to new sign-ups (likely in an effort to remain under the radar) while Yilu has faced difficulties with usability, payments, and pricing.
911 offered a convenient and familiar way to pay for proxies; similar to defunct services Luxsocks and VIP72, customers could purchase individual proxies with highly specific regionality and ISP requirements via a custom Windows application. SocksEscort and Faceless (yet another malware proxy service) offer similar functionality through a web interface but do not have the ease of use in native Windows environments.
Meanwhile, Yilu does have a Windows application but requires payment through WebMoney or USDT-TRON as opposed to more popular payment methods like BTC or ETH. Adding to its drawbacks, Yilu charges for bandwidth (as opposed to a flat daily rate for an IP) which can get very expensive, and ultimately the service looks to be a combination of multiple other services.
In this blog, we’re going discuss how a new contender aims to replace 911 while still having familiar ties to an existing proxy service.
Enter: PIA S5 Proxy
While investigating a mobile VPN application called IPChanger, Spur discovered a new proxy service: PIA S5 Proxy. This service specifically markets itself to ex-911 users.
Users of 911 would feel right at home in the PIA interface, which is uncannily similar. Geographic and ISP targeting is possible when purchasing individual IPs, a common theme among malware proxy services like 911.
Spur has analyzed a number of PIA’s proxy offerings and concluded these devices also belong to the IPIDEA residential proxy network. It seems apparent that PIA and IPIDEA share a common provenance or operator.
Pulling the thread
Spur has been tracking IPIDEA for a few months. Our analysis shows that they are fairly massive as far as residential proxy services go, with over 2.2m active IPs at the time of writing.
As it is not uncommon to find multiple residential proxy services “sharing” an IP, Spur continued to dig into both IPIDEA and PIA S5 Proxy to find additional details that could link them together. To start, we identified the corporate entity operating IPIDEA from their own website:
HongKong Lingyun MDT Infotech Limited.
Pivoting on that company name, we identified a VPN service for Android and iOS called AmanVPN. From the app store, we can see it is supposedly operated by the same company as IPIDEA.
Through dynamic analysis, AmanVPN was determined to be a “free” VPN app that helps IPIDEA source the proxies in their network. The domain
bazh.na.lb.holadns[.]com appears to point to the callback infrastructure for their residential device pool.
As seen in the VirusTotal output above, IPChanger — another Android VPN app — calls back to the same infrastructure used by AmanVPN. Looking at the APK information for IPChanger shows a package name of
Mars Brothers Limited. These connections between PIA and IPIDEA — in addition to sharing residential devices — leads us to the conclusion that they are ultimately operated by the same entity or at the very least white-labeling the “root” proxy service, likely IPIDEA.
Another day, another proxy
Unfortunately for security teams combating fraud and abuse on the Internet, this means the current replacement for 911 is at least 3x as large as 911 ever was. The pricing for PIA is roughly the same and their method of payment is very flexible. They support many types of cryptocurrencies with no KYC policies. We fully expect to continue to see abuse coming from this service. Luckily, Spur is already well positioned to alert our customers in real-time to IPIDEA’s large and ever-shifting residential proxy network. Contact firstname.lastname@example.org to see how our real-time feeds or Monocle integration can help.