Tagged: credential stuffing

San Diego FBI takes down Russian botnet

Authorities in San Diego announced that they have dismantled a Russian botnet known as RSOCKS following a six-year investigation.

Germany, the Netherlands, and the UK were also involved in the takedown, which involved millions of hacked devices around the world. Compromised devices included wireless radio links, time clocks, networking equipment, audio/video streaming devices, Raspberry Pi micro-computers, smart garage door openers. Rsocks’ Twitter account claimed to have access to more than 8 million devices.

The search warrant (see below) shows the operators of the Russian RSOCKS botnet sold access to compromised devices via a website hosted at Vultr in West Palm Beach, Florida. Vultr is owned by The Constant Company, LLC.

According to the search warrant, the storefront at RSOCKS.net allowed customers to rent access to a pool of proxies for a day, a week or per month. Costs ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

Customers then used these proxies to mount large-scale attacks, known as credential stuffing, that allowed them access to legitimate users’ online accounts, such as social networking and email accounts. Victims included “a university, a hotel, a television studio, an electronics manufacturer, as well as home businesses and individuals,” according to the warrant. The victims are not named. Rsocks.net and other associated domains have been seized by the FBI.

RSOCKS was operated by “a highly sophisticated Russia-based cybercrime organization,” San Diego FBI Special Agent in Charge Stacey said in a news release. Domain history for rsocks.net shows it was registered in 2015 by Rsocks Ltd., a UK company. UK corporate filings identify Rsocks Ltd.’s director as Vyacheslav Zainullin, a 29-year-old citizen of Kazakhstan.

Here’s the search warrant: