2 min Security

New cybercrime tactic: selling someone else’s Internet connection

New cybercrime tactic: selling someone else’s Internet connection

Cybercriminals can hijack and resell the Internet access of unsuspecting users. By making users’ bandwidth available for proxyware services, criminals are able to earn up to $10 (just over €9) per affected device per month. Security vendor Sysdig warns companies of the risks.

Sysdig’s Threat Research Team discovered an exploitation of weaknesses in an outdated version of Log4j. Usually, attackers launch a cryptomining application that runs on the affected PC’s CPU. So instead of stealing CPU cycles for mining, in this case, network access was partially taken over. The bandwidth can be sold to proxyware services undetected, which pay a monthly fee per IP address. Someone else is then able to use this IP address, with all that entails. Sysdig warns of the potential financial and legal costs associated with a proxyjacking attack. In an extreme case, a victim may be suspected of illegal activity carried out by a criminal somewhere else via the proxyware service.

Lucrative tactics

Regular users of the Internet who want to share their connection may use a proxyware service. This way, they can earn about ten dollars a month. Sysdig looked into a number of these companies. Their research team concluded that claims of, for example, “ethically acquired IP addresses” made by these companies are not tenable. For example, Pawns and IPRoyal only verify that the potential provider isn’t trying to resell a cloud connection, but nothing more. The victims of proxyjackers remain unprotected because, on the face of it, they have a “normal” IP address.

Sysdig has calculated that there are more than 23,000 systems online still using a vulnerable version of Log4j. Therefore, the exploit that Sysdig detected could generate more than $220,000 a month for proxyjackers. However, the security vendor estimates that a passive income of $1,000 per month is a more realistic prospect, which assumes that a criminal manages to hit 100 IP addresses in an attack.

A proxyjacking attack can also occur through means other than exploiting Log4j weaknesses. Sysdig advises companies to take measures by setting a monthly Internet bandwidth cap or an alert when exceeding a certain amount of Internet bandwidth. Although criminal use of proxyware services is limited now, the security vendor foresees an increase over time.