SnapDragon Monitoring eyes international growth after sharp increase in turnover

Brand protection specialists SnapDragon Monitoring has announced new plans today to grow its international reach by 25% in 2023 after it experienced one of its most successful years to date in 2022, with its annual turnover increasing by 29% and exports increasing to 49% .

SnapDragon is a Queen’s Award winning, brand protection business based in Edinburgh. Last year the company grew its headcount by 20%, with its latest recruits being seasoned legal professional, Ewan McIntyre, who has been appointed as the company’s first General Counsel, and veteran beauty guru, Wilma McDaniel, who has joined as head of beauty to help educate on and tackle counterfeits in the sector.

SnapDragon’s detection technology has played a key role in preventing the online sales of millions of fake and copycat products, protecting the end-consumer, who frequently buys a fake product unwittingly, as well as company reputations and revenues. The company also recently made significant developments to its brand protection platform, not only launching a new self-service offering of its proprietary software, Swoop, but also upgrading the platform to include Delphic Vision to help customers detect logo infringements, and the reputations of public facing individuals challenged by their likeness being used in deepfakes. Regardless of the source, customers can immediately identify listings with Delphic and work to have them removed before they do further damage, duping potential customers or causing personal mayhem.

Adopting advanced AI techniques, including both text and image analysis, has allowed SnapDragon to present ranked relevant results to its clients automatically, and in a fraction of the time, while its affordable logo and image detection capabilities add a depth rarely found in brand protection.

“We are delighted with our success over the last year, which has seen our businesses grow not just in figures, but also in Dragons. Everyday consumers and businesses get caught out by fakes and counterfeits, and we are on a mission to help our customers and prospects do more to identify these fraudulent goods and websites before they cause harm. In the next year, we plan to scale the business across further international regions, and also increase our footprint within the legal sector. The ultimate goal is to make the online world a safer place for both consumers and businesses,” said Rachel Jones, CEO of SnapDragon Monitoring.

Today counterfeiting is a huge business that targets all industries, and recent estimates revealed that over £13.6 billion worth of fake goods were imported into Britain in 2020, which resulted in lost sales to legitimate businesses worth £9 billion. Fraudsters will often bank on the success of coveted products, making their own cheaper alternatives in a bid to trick consumers into purchases. The consequences of this not only cause loss in sales, but genuine brands come directly in the firing line for not doing more to protect customers against this illegal and dangerous trade. SnapDragon acts as a first in the line of defence against this threat, helping brands including Orchard Toys, Hornit and Ellie Cashman, detect fakes of their products and have them removed from the web before they cause harm.

The post SnapDragon Monitoring eyes international growth after sharp increase in turnover appeared first on IT Security Guru.

Data stolen after Hackers hit 14 UK schools

Hackers have launched a successful cyberattack against schools across the UK and has left confidential information related to pupils leaked online.
In total, 14 schools have been impacted, with the sensitive data stolen including passport details, which were likely needed for trips abroad, as well as contracts and pay scales for members of staff.
As reported by the BBC, the attack took place in 2022 with hacking group Vice Society named as the perpetrators. After refusing to refusing to pay the ransom, the information was posted online.
Vice Society have been known to target educational institutions in the UK and US, with a string of attacks associated to the group taking place recently. For instance, 500 gigabytes of data from the entire Los Angeles Unified School District were stolen and resulted in the FBI issuing an alert on the group’s activities as a warning
Commenting on the news and offering their thoughts and advice are the following cybersecurity professionals:
Erfan Shadabi, cybersecurity expert at comforte AG:
Given the troves of personal information stored within lower and higher education institutions, they will always be a target for cybercriminals. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. Even if you don’t enter your ID, name, address, or even payment details, they can be used to start fraudulent activities. This incident is, however, very serious as many children’s PII was compromised. With an ever-growing attack surface, building just another wall around the institution’s network or a segment of sensitive data is not the best way forward, especially when it comes to phishing attacks that are likely to generate some hits. In the end, if you’re an educational institute, the most important thing to do is to protect your students’ and employees’ data, as well as your precious and highly valuable research, rather than the borders around that information. With modern solutions such as format-preserving encryption or tokenization, you can render useless to hackers any PII (including names, addresses, and IDs) or other data you deem sensitive, even if they manage to penetrate your strengthened perimeters and actually get their hands on it.
Darren Guccione, CEO, Keeper Security:
“This latest incident of Vice Society criminal activity demonstrates why parents and students must make cybersecurity a priority. A password manager is a critical first step that can help them create high-strength, unique passwords for all of their online accounts, applications and systems which will help prevent future attacks and mitigate the risk of sprawl if their information is posted to the dark web and sold. Additionally, they should immediately implement a dark web monitoring service, which will alert them if their stolen credentials and information are available on the dark web. Dark web monitoring will prompt them with an alert in real time so they can take immediate action to protect themselves from a future data breach. Lastly, they should enable two-factor authentication (2FA) on all of their websites and applications that provide this additional protection.  2FA is a powerful and simple way to safeguard accounts from a remote attacker.”

The post Data stolen after Hackers hit 14 UK schools appeared first on IT Security Guru.

Disneyland Malware Team: It’s a Puny World After All

A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.

The Disneyland Team’s Web interface, which allows them to interact with malware victims in real time to phish their login credentials using phony bank websites.

The Disneyland Team uses common misspellings for top bank brands in its domains. For example, one domain the gang has used since March 2022 is ushank[.]com — which was created to phish U.S. Bank customers.

But this group also usually makes use of Punycode to make their phony bank domains look more legit. The U.S. financial services firm Ameriprise uses the domain; the Disneyland Team’s domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ạmeriprisẹ[.]com.

Look carefully, and you’ll notice small dots beneath the “a” and the second “e”. You could be forgiven if you mistook one or both of those dots for a spec of dust on your computer screen or mobile device.

This candid view inside the Disneyland Team comes from Alex Holden, founder of the Milwaukee-based cybersecurity consulting firm Hold Security. Holden’s analysts gained access to a Web-based control panel the crime group has been using to keep track of victim credentials (see screenshot above). The panel reveals the gang has been operating dozens of Punycode-based phishing domains for the better part of 2022.

Have a look at the Punycode in this Disneyland Team phishing domain: https://login2.xn--mirtesnbd-276drj[.]com, which shows up in the browser URL bar as login2.ẹmirạtesnbd[.]com, a domain targeting users of Emirates NBD Bank in Dubai.

Here’s another domain registered this year by the Disneyland Team: https://xn--clientchwb-zxd5678f[.]com, which spoofs the login page of financial advisor Charles Schwab with the landing page of cliẹntșchwab[.]com. Again, notice the dots under the letters “e” and “s”.  Another Punycode domain of theirs sends would-be victims to cliẹrtschwạb[.]com, which combines a brand misspelling with Punycode.

We see the same dynamic with the Disneyland Team Punycode domain https://singlepoint.xn--bamk-pxb5435b[.]com, which translates to singlepoint.ụșbamk[.]com — again phishing U.S. Bank customers.

What’s going on here? Holden says the Disneyland Team is Russian-speaking — if not also based in Russia —  but it is not a phishing gang per se. Rather, this group uses the phony bank domains in conjunction with malicious software that is already secretly installed on a victim’s computer.

Holden said the Disneyland Team domains were made to help the group steal money from victims infected with a powerful strain of Microsoft Windows-based banking malware known as Gozi 2.0/Ursnif. Gozi specializes in collecting credentials, and is mainly used for attacks on client-side online banking to facilitate fraudulent bank transfers. Gozi also allows the attackers to connect to a bank’s website using the victim’s computer.

In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site. These web injects allowed malware to rewrite the bank’s HTML code on the fly, and copy and/or intercept any data users would enter into a web-based form, such as a username and password.

Most Web browser makers, however, have spent years adding security protections to block such nefarious activity. As a result, the Disneyland Team simply tries to make their domains look as much like the real thing as possible, and then funnel victims toward interacting with those imposter sites.

“The reason that it is infeasible for them to use in-browser injects include browser and OS protection measures, and difficulties manipulating dynamic pages for banks that require multi-factor authentication,” Holden said.

In reality, the fake bank website overlaid by the Disneyland Team’s malware relays the victim’s browser activity through to the real bank website, while allowing the attackers to forward any secondary login requests from the bank, such as secret questions or multi-factor authentication challenges.

The Disneyland Team included instructions for its users, noting that when the victim enters their login credentials, he sees a 10-second spinning wheel, and then the message, “Awaiting back office approval for your request. Please don’t close this window.”

A fake PNC website overlay or “web inject” displaying a message intended to temporarily prevent the user from accessing their account.

The “SKIP” button in the screenshot above sends the user to the real bank login page, “in case the account is not interesting to us,” the manual explains. “Also, this redirect works if none of our operators are working at the time.”

The “TAKE” button in the Disneyland Team control panel allows users or affiliates to claim ownership over a specific infected machine or bot, which then excludes other users from interacting with that victim.

In the event that it somehow takes a long time to get the victim (bot) connected to the Disneyland Team control panel, or if it is necessary to delay a transaction, users can push a button that prompts the following message to appear on the victim’s screen:

“Your case ID number is 875472. An online banking support representative will get in touch shortly. Please provide your case ID number, and DO NOT close this page.”

The Disneyland user manual explains that the panel can be used to force the victim to log in again if they transmit invalid credentials. It also has other options for stalling victims whilst their accounts are drained. Another fake prompt the panel can produce shows the victim a message saying, “We are currently working on updating our security system. You should be able to log in once the countdown timer expires.”

The user manual says this option blocks the user from accessing their account for two hours. “It is possible to block for an hour with this button, in this case they get less frustrated, within the hours ddos will kill their network.”

Cybercrime groups will sometimes launch distributed denial-of-service (DDoS) attacks on the servers of the companies they’re trying to rob — which is usually intended to distract victims from their fleecing, although Holden said it’s unclear if the Disneyland Team employs this tactic as well.

For many years, KrebsOnSecurity tracked the day-to-day activities of a similar malware crew that used web injects and bots to steal tens of millions of dollars from small- to mid-sized businesses across the United States.

At the end of each story, I would close with a recommendation that anyone concerned about malware snarfing their banking information should strongly consider doing their online banking from a dedicated, security-hardened system which is only used for that purpose. Of course, the dedicated system approach works only if you always use that dedicated system for managing your account online.

Those stories also observed that since the vast majority of the malicious software used in cyberheists is designed to run only on Microsoft Windows computers, it made sense to pick a non-Windows computer for that dedicated banking system, such as a Mac or even a version of Linux. I still stand by this advice.

In case anyone is interested, here (PDF) is a list of all phishing domains currently and previously used by the Disneyland Team.

Accused ‘Raccoon’ Malware Developer Fled Ukraine After Russian Invasion

A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on charges that he acted as a core developer for Raccoon, a popular “malware-as-a-service” offering that helped paying customers steal passwords and financial data from millions of cybercrime victims. KrebsOnSecurity has learned that the defendant was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion.

Ukrainian national Mark Sokolovsky, seen here in a Porsche Cayenne on Mar. 18 fleeing mandatory military service in Ukraine. This image was taken by Polish border authorities as Sokolovsky’s vehicle entered Germany. Image:

The U.S. Attorney for the Western District of Texas unsealed an indictment last week that named Mark Sokolvsky as the core developer for the Raccoon Infostealer business, which was marketed on several Russian-language cybercrime forums beginning in 2019.

Raccoon was essentially a Web-based control panel, where — for $200 a month — customers could get the latest version of the Raccoon Infostealer malware, and interact with infected systems in real time. Security experts say the passwords and other data stolen by Raccoon malware were often resold to groups engaged in deploying ransomware.

Working with investigators in Italy and The Netherlands, U.S. authorities seized a copy of the server used by Raccoon to help customers manage their botnets. According to the U.S. Justice Department, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) stolen with the help of Raccoon.

The Raccoon v. 1 web panel, where customers could search by infected IP, and stolen cookies, wallets, domains and passwords.

The unsealed indictment (PDF) doesn’t delve much into how investigators tied Sokolovsky to Raccoon, but two sources close to the investigation shared more information about that process on condition of anonymity because they were not authorized to discuss the case publicly.

According to those sources, U.S. authorities zeroed in on an operational security mistake that the Raccoon developer made early on in his posts to the crime forums, connecting a Gmail account for a cybercrime forum identity used by the Raccoon developer (“Photix”) to an Apple iCloud account belonging to Sokolovsky. For example, the indictment includes a photo that investigators subpoenaed from Sokolovsky’s iCloud account that shows him posing with several stacks of bundled cash.

A selfie pulled from Mark Sokolovsky’s iCloud account. Image: USDOJ.

When Russian President Vladimir Putin invaded Ukraine in late February 2022, Sokolovsky was living in Kharkiv, a city in northeast Ukraine that would soon come under heavy artillery bombardment from Russian forces. Authorities monitoring Sokolovsky’s iCloud account had spent weeks watching him shuttle between Kharkiv and the Ukrainian capital Kyiv, but on Mar. 18, 2022, his phone suddenly showed up in Poland.

Investigators learned from Polish border guards that Sokolovsky had fled Ukraine in a Porsche Cayenne along with a young blond woman, leaving his mother and other family behind. The image at the top of this post was shared with U.S. investigators by Polish border security officials, and it shows Sokolovsky leaving Poland for Germany on Mar. 18.

At the time, all able-bodied men of military age were required to report for service to help repel the Russian invasion, and it would have been illegal for Sokolovsky to leave Ukraine without permission. But both sources said investigators believe Sokolovsky bribed border guards to let them pass.

Authorities soon tracked Sokolvsky’s phone through Germany and eventually to The Netherlands, with his female companion helpfully documenting every step of the trip on her Instagram account. Here is a picture she posted of the two embracing upon their arrival in Amsterdam’s Dam Square:

Authorities in The Netherlands arrested Sokolovsky on Mar. 20, and quickly seized control over the Raccoon Infostealer infrastructure. Meanwhile, on March 25 the accounts that had previously advertised the Raccoon Stealer malware on cybercrime forums announced the service was closing down. The parting message to customers said nothing of an arrest, and instead insinuated that the core members in charge of the malware-as-a-service project had perished in the Russian invasion.

“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the team announced Mar. 25. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the WORLD comes to everyone.”

Sokolovsky’s extradition to the United States has been granted, but he is appealing that decision. He faces one count of conspiracy to commit computer fraud; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering, and one count of aggravated identity theft.

Sources tell KrebsOnSecurity that Sokolovsky has been consulting with Houston, Tx.-based attorney F. Andino Reynal, the same lawyer who represented Alex Jones in the recent defamation lawsuit against Jones and his conspiracy theory website Infowars. Reynal was responsible for what Jones himself referred to as the “Perry Mason” moment of the trial, wherein the plaintiff’s lawyer revealed that Reynal had inadvertently given them an entire digital copy of Jones’s cell phone. Mr. Reynal did not respond to requests for comment.

If convicted, Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.

The Justice Department has set up a website — — that allows visitors to check whether their email address shows up in the data collected by the Raccoon Stealer service.

Top things to do After installing Ubuntu 22.10 Kinetic Kudu

Ubuntu 22.10 Kinetic Kudu is out! Time to install the new system and do same configurations before ready for use. And, here are a list of things I can tell for you.

1. Update cache & install Media Codec

On a new Ubuntu system, user may need to refresh package index before being able to install software packages. And, this can be done easily by:

  • Launch ‘Software Updater’, and wait for automatically ‘checking for updates’ done.
  • Or, press Ctrl+Alt+T on keyboard to open terminal, and run command:
    sudo apt update

    type user password when it asks while no asterisk feedback.

Ubuntu does not include multimedia codec to play video and/or music with default applications out-of-the-box. It’s however quite easy to install them

  • Either open ‘Ubuntu Software’, search for and install ‘Ubuntu restricted extra’
  • Or, open terminal (Ctrl+Alt+T) and run command:
    sudo apt install ubuntu-restricted-extras

    While installing the MS fonts, it will prompt to accept licence, just press Tab to highlight OK and hit Enter.

For KUbuntu user, replace ubuntu-restricted-extras with kubuntu-restricted-extras in command.

2. Enable Flatpak & AppImage support

Ubuntu officially supports Snap and Deb package formats. But, we can avoid the popular Flatpak and AppImage software packages today in Linux.

AppImage requires libfuse2 which is NOT pre-installed since Ubuntu 22.04, due to switch to fuse3. The package is however still available in system repository.

  • Open terminal (Ctrl+Alt+T) and run command to enable AppImage support:
    sudo apt install libfuse2

Ubuntu also does not support Flatpak out-of-the-box, but it can be enabled by running a single command:

  • Enable Flatpak in Ubuntu:
    sudo apt install flatpak

After that, you may go to to find out and install your favorite apps as Flatpak.

3. Hide USB/Mounted Disk from left Panel, Enalbe Minimize on click

The left (or bottom) panel shows the connected USB stick, mounted disk volume out-of-the-box. User can however hide them using the new ‘Ubuntu Dock’ settings.

  • First, go to top-right corner system tray menu, and click on ‘gear’ button to open settings.
  • When ‘Settings’ opens, navigate to the new ‘Ubuntu Dock‘ tab. Then, click on “Configure dock behavior” in button right
  • Finally, you may use the ON/OFF switch to show/hide the mounted drivers as well as trash can icon.

To enable the behavior that click the app icon on left (or bottom) dock panel to focus or minimize app window, open terminal (Ctrl+Alt+T) and run command:

gsettings set click-action 'minimize'

Ubuntu 22.10 introduced a new feature that when clicking app icon on dock, it goes to overview screen for easy switching this app if multiple windows opened. So, use the command below instead can be a better choice:

gsettings set click-action 'focus-minimize-or-appspread'

After that, clicking app icon on dock panel will either open/focus window, minimize or goes overview for switching window.

4. Enable ‘New Documents’ context menu

GNOME is now working to make it easy to create new documents in ‘Files’ (aka Nautilus file manager). Until then, user need to manually create an empty document in ‘Templates’ folder to enable this context menu option.

  1. First, click top-left ‘Activities’ to open overview screen. Then search for and open ‘Text Editor’.
  2. In text editor window, go to ‘≡’ menu and select ‘save as’ option (You don’t have to insert anything, just save as empty document).
  3. Finally, save the empty file as ‘Empty Document‘ into your ‘Templates‘ folder.

After that, right-click on blank area either in desktop or file manager window to see the ‘New Document’ option.

5. Install useful configuration tool

There are some useful configuration tools that you may need. Either install them via “Ubuntu Software” app or run the apt commands below in terminal.

  • Open terminal (Ctrl+Alt+T) and run command to install Gnome Tweaks:
    sudo apt install gnome-tweaks

GNOME Tweaks

  • Run command to install ‘Extension Manager’ for install & managing extensions:
    sudo apt install gnome-shell-extension-manager

Extension Manager

Install some cool Gnome Shell Extensions, (e.g. ‘Just Perfect’, ‘Blur my shell’), via extension manager app under ‘Browse’ tab.

Just Perfection with even more configuration options

6. Set light/dark photo images as wallpaper that switch automatically

GNOME 40 introduced adaptive wallpaper that changes automatically depends on system color scheme. It’s not available in Ubuntu 22.04 due to custom ‘Settings’ dialog. For Ubuntu 22.10, you can set your photo images with light and dark versions to wallpaper via following steps.

  1. First, open ‘Files‘ (nautilus file manager), then press Ctrl+H to show hidden files/folders.
  2. Then, navigate to .local/share and create a new sub-folder called ‘gnome-background-properties
  3. Finally, create a .xml file under that folder with whatever name, and insert following content (change path-to-file accordingly).
<?xml version="1.0"?>
<!DOCTYPE wallpapers SYSTEM "gnome-wp-list.dtd">
  <wallpaper deleted="false">

After that, open ‘Settings’ and navigate to ‘Appearance’ for the new adaptive wallpaper:

7. Get ‘Login Manager Settings’ to configure login screen

GDM Settings is a login screen managing tool for GNOME display manager. The application now is stable for daily use though it’s young project.

  1. First, go to project page below and select download the AppImage
  2. Right-click on the AppImage, go to ‘Properties‘, and then turn on the option for ‘Executable as Program
  3. Finally, right-click and click ‘Run’ to launch the configuration tool.
  4. There go to ‘Appearance’ -> Background -> Type ‘Image’ and select a photo image for login screen.
  5. Configure font, color, logo, disable user list,etc as you want and finally click ‘Apply’ button to make changes.

Configure Login Screen Appearance

8. Install Firefox as classic Deb package

For those prefer the classic Deb to Snap, open terminal (Ctrl+Alt+T) and run the commands below one by one to switch Firefox from Snap to DEB.

  • Backup your important data if any.
  • Remove commands below one by one to remove Firefox:
    sudo apt remove --autoremove firefox
    sudo snap remove firefox
  • Add Mozillateam PPA:
    sudo add-apt-repository ppa:mozillateam/ppa
  • Finally, install Firefox as deb form PPA:
    sudo apt install -t 'o=LP-PPA-mozillateam' firefox

To prevent Ubuntu from automatically updating Firefox to Snap again, you also need to set a higher PPA priority. See this tutorial for details.

9. Switch back to Xorg session

If you have some old applications that are still NOT running properly in the default Wayland session. Simply log out, click username and use the bottom right ‘gear’ button menu to switch back Xorg session, and finally login.

7-Eleven Stores in Denmark Close After Cyberattack

7-Eleven stores in Denmark closed their doors yesterday after a cyberattack disrupted store payment and checkout systems throughout the country.

The attack occurred early on the 8th August, with the company posting on Facebook that they were likely “exposed to a hacker attack”.

The translated statement says that the company has closed all the stores in the country while investigating the security incident.

The statement read: “Unfortunately, we suspect that we have been exposed to a hacker attack today, Monday 8 August 2022. This means that we cannot use checkouts and/or receive payment. We are therefore keeping the stores closed until we know the extent. We naturally hope that we can open the stores again soon.”

A now-deleted Reddit post, allegedly written by a 7-Eleven employee in Denmark, also confirmed the cyberattack, saying that they were forced to close the store after checkout systems went down.

“Working at the 7-eleven at Strøget and our checkout system does not work, all the country’s 7-eleven run with the same system, so all 7-eleven in Denmark are “closed” right now,” said the 7-Eleven employee on Reddit.

“We ourselves have closed our doors to customers and have put up a sign.”

There are no further details about the attack, including whether ransomware was involved. The situation is still developing at time of writing.

The post 7-Eleven Stores in Denmark Close After Cyberattack appeared first on IT Security Guru.

911 Proxy Service Implodes After Disclosing Breach

The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.

911[.]re is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

As noted in KrebsOnSecurity’s July 19 story on 911, the proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle the proxy software with other software, continuously generating a steady stream of new proxies for the service.

A cached copy of flashupdate[.]net circa 2016, which shows it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.

Within hours of that story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”

At this announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported they were unable to use the service. Others affected by the outage said it seemed 911 was trying to implement some sort of “know your customer” rules — that maybe 911 was just trying to weed out those customers using the service for high volumes of cybercriminal activity.

Then on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we permanently shut down 911 and all its services on July 28th.”

According to 911, the service was hacked in early July, and it was discovered that someone manipulated the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles the topping up of accounts when users make financial deposits with the service.

“Not sure how did the hacker get in,” the 911 message reads. “Therefore, we urgently shut down the recharge system, new user registration, and an investigation started.”

The parting message from 911 to its users, posted to the homepage July 28, 2022.

However the intruders got in, 911 said, they managed to also overwrite critical 911[.]re servers, data and backups of that data.

“On July 28th, a large number of users reported that they could not log in the system,” the statement continues. “We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable.”

Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911’s longtime competitors — malware-based proxy services VIP72 and LuxSocksclosed their doors in the past year.

Now, many on the crime forums who relied on 911 for their operations are wondering aloud whether there are any alternatives that match the scale and utility that 911 offered. The consensus seems to be a resounding “no.”

I’m guessing we may soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will spring up to meet what appears to be a burgeoning demand for such services at the moment, with comparatively little supply.

In the meantime, 911’s absence may coincide with a measurable (if only short-lived) reprieve in unwanted traffic to top Internet destinations, including banks, retailers and cryptocurrency platforms, as many former customers of the proxy service scramble to make alternative arrangements.

Riley Kilmer, co-founder of the proxy-tracking service, said 911’s network will be difficult to replicate in the short run.

“My speculation is [911’s remaining competitors] are going to get a major boost in the short term, but a new player will eventually come along,” Kilmer said. “None of those are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. For fraud rates, the attempts will continue but through these replacement services which should be easier to monitor and stop. 911 had some very clean IP addresses.”

GIMP in a Pinch: Life after Desktop

GIMP in a Pinch: Life after Desktop

So my Dell XPS 13 DE laptop running Ubuntu died on me today. Let’s just say I probably should not have attempted to be efficient and take a bath and work at the same time!

Unfortunately, as life always seems to be, you always need something at a time that you don’t have it and that is the case today. I have some pictures that I need to edit for a website, and I only know and use GIMP. I took a look at my PC inventory at home, and I had two options:

  1. Macbook Air: My roommate’s computer
  2. HP Chromebook 11: A phase of my life where I attempted to streamline my life and simplify which lasted two weeks

My roommate was using his computer, so it really only left me with one option, the chromebook. I also did not have a desire to learn another OS today as I have done enough distro hopping in the last few months. I charged and booted up the chromebook and started to figure out how I could get GIMP onto it. Interestingly enough, there are not many clear cut options to running GIMP on an Android device. There was an option to run a Linux developer environment on the chromebook, but it required 10GB of space which I didn’t have. Therefore, option two was to find an app on the Google Play Store.

Typing GIMP brought me to an app called XGimp Image Editor from DMobileAndroid, and I installed and loaded it with an image to only find this:


This definitely is nothing like GIMP and appeared to be very limited in functionality anyway. I could see why it had garnered a 1.4 star rating as it definitely is not what someone would expect when they are looking for something similar to GIMP.

So I took a look at the other options, and there was another app called GIMP from Userland Technologies. It does cost $1.99, but it was a one-time charge and seemed to be the only other option on the Play Store. Reviewing the screenshots and the description of the application seemed to suggest that this would be the actual GIMP app that I was using on my desktop so I went ahead and downloaded it. Installation was relatively quick, and I started running it and to my surprise, here is what I saw:


It appears that the application basically is a Linux desktop build that automatically launches the desktop version of GIMP. Therefore, it really is GIMP. I loaded up an image which was also relatively easy to do as it seamlessly connected to my folders on my chromebook.