Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can â such as by secretly bundling it with other titles.
The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.
Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customerâs Internet Protocol (IP) address every five to ten minutes.
The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked â such as data scraping, or mass-creating new accounts at some service online.
In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a âvery serious issue regarding our customer information.â
Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to âShifter.io.â Gupta said the report qualified as a âmediumâ severity security issue in Shifterâs brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.
From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs.
Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service.
Proxy traffic related to top Microleaves users, as exposed by the websiteâs API.
The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly.
One of BlackHatWorldâs moderators asked the administrator of the forum to review the Microleaves post.
âUser states has 150k proxies,â the forum skeptic wrote. âNo seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. Thatâs the only way you will get 150k.â
Microleaves has long been classified by antivirus companies as adware or as a âpotentially unwanted programâ (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some âfreeâ download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the userâs Internet connection as a proxy without notifying the user.
âWhile working, these Trojans pose as Microsoft Windows Update,â Kaspersky wrote.
In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service â reverseproxies[.]com â was now offering an âAuto CAPTCHA Solving Service,â which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously.
âWe break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,â Microleaves wrote. âAs you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!â
WHO IS ACIDUT?
The exposed Microleaves user database shows that the first user created on the service â username âadminâ â used the email address alex.iulian@aol.com. A search on that email address in Constella Intelligence, a service that tracks breached data, reveals it was used to create an account at the link shortening service bit.ly under the name Alexandru Florea, and the username âAcidut.â [Full disclosure: Constella is currently an advertiser on this website].
According to the cyber intelligence company Intel 471, a user named Acidut with the email address iulyan87_4u@gmail.com had an active presence on almost a dozen shadowy money-making and cybercrime forums from 2010 to 2017, including BlackHatWorld, Carder[.]pro, Hackforums, OpenSC, and CPAElites.
The user Microleaves (later âShifter.ioâ) advertised on BlackHatWorld the sale of 31 million residential IPs for use as proxies, in late 2013. The same account continues to sell subscriptions to Shifter.io.
In a 2011 post on Hackforums, Acidut said they were building a botnet using an âexploit kit,â a set of browser exploits made to be stitched into hacked websites and foist malware on visitors. Acidut claimed their exploit kit was generating 3,000 to 5,000 new bots each day. OpenSC was hacked at one point, and its private messages show Acidut purchased a license from Exmanoize, the handle used by the creator of the Eleonore Exploit Kit.
By November 2013, Acidut was advertising the sale of â26 million SOCKS residential proxies.â In a March 2016 post to CPAElites, Acidut said they had a worthwhile offer for people involved in pay-per-install or âPPIâ schemes, which match criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs and websites.
Because pay-per-install affiliate schemes rarely impose restrictions on how the software can be installed, such programs can be appealing for cybercriminals who already control large collections of hacked machines and/or compromised websites. Indeed, Acidut went a step further, adding that their program could be quietly and invisibly nested inside of other programs.
âFor those of you who are doing PPI I have a global offer that you can bundle to your installer,â Acidut wrote. âI am looking for many installs for an app that will generate website visits. The installer has a silence version which you can use inside your installer. I am looking to buy as many daily installs as possible worldwide, except China.â
Asked about the source of their proxies in 2014, the Microleaves user responded that it was âsomething related to a PPI network. I canât say more and I wonât get into details.â
Acidut authored a similar message on the forum BlackHatWorld in 2013, where they encouraged users to contact them on Skype at the username ânevo.julian.â That same Skype contact address was listed prominently on the Microleaves homepage up until about a week ago when KrebsOnSecurity first reached out to the company.
ONLINE[.]IO (NOW MERCIFULLY OFFLINE)
There is a Facebook profile for an Alexandru Iulian Florea from Constanta, Romania, whose username on the social media network is Acidut. Prior to KrebsOnSecurity alerting Shifter of its data breach, the Acidut profile page associated Florea with the websites microleaves.com, shrooms.io, leftclick[.]io, and online[.]io. Mr. Florea did not respond to multiple requests for comment, and his Facebook page no longer mentions these domains.
Leftclick and online[.]io emerged as subsidiaries of Microleaves between 2017 and 2018. According to a help wanted ad posted in 2018 for a developer position at online[.]io, the companyâs services were brazenly pitched to investors as âa cybersecurity and privacy tool kit, offering extensive protection using advanced adblocking, anti-tracking systems, malware protection, and revolutionary VPN access based on residential IPs.â
A teaser from Irish Tech News.
âOnline[.]io is developing the first fully decentralized peer-to-peer networking technology and revolutionizing the browsing experience by making it faster, ad free, more reliable, secure and non-trackable, thus freeing the Internet from annoying ads, malware, and trackers,â reads the rest of that help wanted ad.
Microleaves CEO Alexandru Florea gave an âinterviewâ to the website Irishtechnews.ie in 2018, in which he explained how Online[.]io (OIO) was going to upend the online advertising and security industries with its initial coin offering (ICO). The word interview is in air quotes because the following statements by Florea deserved some serious pushback by the interviewer.
âOnline[.]io solution, developed using the Ethereum blockchain, aims at disrupting the digital advertising market valued at more than $1 trillion USD,â Alexandru enthused. âBy staking OIO tokens and implementing our solution, the website operators will be able to access a new non-invasive revenue stream, which capitalizes on time spent by users online.â
âAt the same time, internet users who stake OIO tokens will have the opportunity to monetize on the time spent online by themselves and their peers on the World Wide Web,â he continued. âThe time spent by users online will lead to ICE tokens being mined, which in turn can be used in the dedicated merchant system or traded on exchanges and consequently changed to fiat.â
Translation: If you install our proxy bot/CAPTCHA-solver/ad software on your computer â or as an exploit kit on your website â weâll make millions hijacking ads and you will be rewarded with heaps of soon-to-be-worthless shitcoin. Oh, and all your security woes will disappear, too.
Itâs unclear how many Internet users and websites willingly agreed to get bombarded with Online[.]ioâs annoying ads and search hijackers â and to have their PC turned into a proxy or CAPTCHA-solving zombie for others. But that is exactly what multiple security companies said happened when users encountered online[.]io, which operated using the Microsoft Windows process name of âonline-guardian.exe.â
Incredibly, Crunchbase says Online[.]io raised $6 million in funding for an initial coin offering in 2018, based on the plainly ludicrous claims made above. Since then, however, online[.]io seems to have goneâŚoffline, for good.
SUPER TECH VENTURES?
Until this week, Shifter.ioâs website also exposed information about its customer base and most active users, as well as how much money each client has paid over the lifetime of their subscription. The data indicates Shifter has earned more than $11.7 million in direct payments, although itâs unclear how far back in time those payment records go, or how complete they are.
The bulk of Shifter customers who spent more than $100,000 at the proxy service appear to be digital advertising companies, including some located in the United States. None of the several Shifter customers approached by KrebsOnSecurity agreed to be interviewed.
Shifterâs Gupta said heâd been with the company for three years, since the new owner took over the company and made the rebrand to Shifter.
âThe company has been on the market for a long time, but operated under a different brand called Microleaves, until new ownership and management took over the company started a reorganization process that is still on-going,â Gupta said. âWe are fully transparent. Mostly [our customers] work in the data scraping niche, this is why we actually developed more products in this zone and made a big shift towards APIs and integrated solutions in the past year.â
Ah yes, the same APIs and integrated solutions that were found exposed to the Internet and leaking all of Shifterâs customer information.
Gupta said the original founder of Microleaves was a man from India, who later sold the business to Florea. According to Gupta, the Romanian entrepreneur had multiple issues in trying to run the company, and then sold it three years ago to the current owner â Super Tech Ventures, a private equity company based in Taiwan.
âOur CEO is Wang Wei, he has been with the company since 3 years ago,â Gupta said. âMr. Florea left the company two years ago after ending this transition period.â
Google and other search engines seem to know nothing about a Super Tech Ventures based in Taiwan. Incredibly, Shifterâs own PR person claimed that he, too, was in the dark on this subject.
âI would love to help, but I really donât know much about the mother company,â Gupta said, essentially walking back his âfully transparentâ statement. âI know they are a branch of the bigger group of asian investment firms focused on private equity in multiple industries.â
Adware and proxy software are often bundled together with âfreeâ software utilities online, or with popular software titles that have been pirated and quietly fused with installers tied to various PPI affiliate schemes.
But just as often, these intrusive programs will include some type of notice â even if installed as part of a software bundle â that many users simply do not read and click âNextâ to get on with installing whatever software theyâre seeking to use. In these cases, selecting the âbasicâ or âdefaultâ settings while installing usually hides any per-program installation prompts, and assumes you agree to all of the bundled programs being installed. Itâs always best to opt for the âcustomâ installation mode, which can give you a better idea of what is actually being installed, and can let you control certain aspects of the installation.
Either way, itâs best to start with the assumption that if a software or service online is âfree,â that there is likely some component involved that allows the provider of that service to monetize your activity. As KrebsOnSecurity noted at the conclusion of last weekâs story on a China-based proxy service called 911, the rule of thumb for transacting online is that if youâre not the paying customer, then you and/or your devices are probably the product thatâs being sold to others.
Further reading on proxy services:
July 18, 2022: A Deep Dive Into the Residential Proxy Service â911â
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
Aug. 19, 2019: The Rise of âBulletproofâ Residential Networks
