Latest news with #botnet
Digital Trends
8 hours ago
- Digital Trends
Check your gadgets: FBI warns millions of streaming devices infected by malware
The FBI issued a public warning last week about a massive cybercrime operation exploiting everyday internet-connected devices. The botnet, dubbed BADBOX 2.0, has quietly infiltrated millions of TV streaming boxes, digital projectors, tablets, car infotainment systems, and other smart gadgets commonly found in homes across the U.S. What BADBOX 2.0 actually does Once compromised, these devices don't just underperform or crash, they secretly enlist your home internet connection into a residential proxy network. That means cybercriminals can hide behind your IP address to commit crimes like ad fraud, data scraping, and more. All of it happens behind the scenes, without the victim's knowledge. Recommended Videos 'This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,' said Gavin Reid, chief information security officer at cybersecurity firm Human Security, in an interview with Wired. What devices are affected? According to the FBI, BADBOX 2.0 has infected: TV streaming boxes Digital projectors Aftermarket vehicle infotainment systems Digital picture frames Most of these devices are manufactured in China and marketed under generic or unrecognizable brand names. Security researchers estimate at least 1 million active infections globally, with the botnet potentially encompassing several million devices overall. The worst offenders belong to the 'TV98' and 'X96' families of Android-based devices, both of which are currently available for purchase on Amazon. In the example below, one of the potentially problematic devices is advertised as 'Amazon's Choice.' How the infections happens There are two primary sources for infection: Pre-installed malware: Some devices arrive already compromised, having been tampered with before reaching store shelves. Malicious app installs: During setup, users are often prompted to install apps from unofficial marketplaces, where malware-laced software opens backdoors. This marks an evolution from the original BADBOX campaign, which relied primarily on firmware-level infections. The new version is more nimble, using software tricks and fake apps to broaden its reach. How to tell is your device is infected Here are the red flags to watch for: The device asks you to disable Google Play Protect It comes from an unfamiliar or no-name brand It's advertised as 'unlocked' or able to stream free content It directs you to download apps from unofficial app stores You notice unexplained internet traffic on your home network How to protect your home network To stay safe, the FBI recommends the following precautions: Avoid unofficial app stores . Stick to the Google Play Store or Apple's App Store. . Stick to the Google Play Store or Apple's App Store. Don't chase suspicious bargains . Extremely inexpensive, unbranded gadgets are often too good to be true. . Extremely inexpensive, unbranded gadgets are often too good to be true. Monitor your network . Keep an eye on unusual internet usage patterns or devices that you don't recognize. . Keep an eye on unusual internet usage patterns or devices that you don't recognize. Stay updated. Regularly update your devices and router with the latest firmware and security patches. If you suspect a device on your network may be infected, disconnect it immediately and consider filing a report with the FBI at Be skeptical of bargain gadgets If seems too good to be true, it probably is. Fyodor Yarochkin, a senior threat research at Trend Micro said it best, 'There is no free cheese unless the cheese is in a mousetrap.'
TechCrunch
09-05-2025
- TechCrunch
FBI and Dutch police seize and shut down botnet of hacked routers
A joint international law enforcement action shut down two services accused of providing a botnet of hacked internet-connected devices, including routers, to cybercriminals. U.S. prosecutors also indicted four people accused of hacking into the devices and running the botnet. On Wednesday, the websites of Anyproxy and 5Socks were replaced with notices stating they had been seized by the FBI as part of a law enforcement operation called 'Operation Moonlander.' The notice said the law enforcement action was carried out by the FBI, the Dutch National Police (Politie), the U.S. Attorney's Office for the Northern District of Oklahoma, and the U.S. Department of Justice. Then on Friday, U.S. prosecutors announced the dismantling of the botnet and the indictment of three Russians: Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin; and Dmitriy Rubtsov, a Kazakhstan national. The four are accused of profiting from running Anyproxy and 5Socks under the pretense of offering legitimate proxy services, but which prosecutors say were built on hacked routers. Chertkov, Morozov, Rubtsoyv, and Shishkin, who all reside outside of the United States, targeted older-models of wireless internet routers that had known vulnerabilities, compromising 'thousands' of such devices, according to the now-unsealed indictment. When in control of those routers, the four individuals then sold access to the botnet on Anyproxy and 5Socks, services that have been active since 2004, according to their websites and the charging authorities. Residential proxy networks are not illegal on their own; these offerings are often used to provide customers with IP addresses for accessing geoblocked content or bypassing government censorship. Anyproxy and 5Socks, however, allegedly built their network of proxies — some of them made of residential IP addresses — by infecting thousands of vulnerable internet-connected devices and effectively turning them into a botnet used by cybercriminals, according to the Department of Justice. 'In this way, the botnet subscribers' internet traffic appeared to come from the IP addresses assigned to the compromised devices rather than the IP addresses assigned to the devices that the subscribers were actually using to conduct their online activity,' read the indictment. Techcrunch event Exhibit at TechCrunch Sessions: AI Secure your spot at TC Sessions: AI and show 1,200+ decision-makers what you've built — without the big spend. Available through May 9 or while tables last. Exhibit at TechCrunch Sessions: AI Secure your spot at TC Sessions: AI and show 1,200+ decision-makers what you've built — without the big spend. Available through May 9 or while tables last. Berkeley, CA | BOOK NOW 'Conspirators acting through 5Socks publicly marketed the Anyproxy botnet as a residential proxy service on social media and online discussion forums, including cybercriminal forums,' the indictment added. 'Such residential proxy services are particularly useful to criminal hackers to provide anonymity when committing cybercrimes; residential‐as opposed to commercial‐IP addresses are generally assumed by internet security services as much more likely to be legitimate traffic.' According to the DOJ's press release, the four are believed to have made more than $46 million from selling access to the botnet. The FBI, DOJ, and the Dutch National Police did not respond to requests for comment. Ryan English, a researcher at Black Lotus Labs, told TechCrunch ahead of the domain seizures that the two services were used for several types of abuse, including password spraying, launching distributed denial-of-service (DDoS) attacks, and ad fraud. On Friday, Black Lotus Labs, a team of researchers housed within cybersecurity firm Lumen, published a report saying they helped the authorities track the proxy networks. As Black Lotus explained in its report, the botnet was 'designed to offer anonymity for malicious actors online.' English told TechCrunch that he and his colleagues are confident that Anyproxy and 5Socks are 'the same pool of proxies run by the same operators, just under a different name,' and that 'the bulk of the botnet were routers, all kinds of end-of-life make and models.' According to the report and based on Lumen's global network visibility, the botnet had 'an average of about 1,000 weekly active proxies in over 80 countries.' Spur, a company that tracks proxy services on the internet, also worked on the operation. Spur's co-founder Riley Kilmer told TechCrunch that while 5Socks is one of the smaller criminal networks the company tracks, the network had 'gained in popularity for financial fraud.'
