Proxy networks fill a necessary function for users worldwide, allowing secure Web connections free of corporate or national oversight. According to Softpedia, however, a new type of malware — dubbed ProxyBack — is being used to convert victim computers into unwilling proxy servers, which are in turn leveraged to create fake accounts on dating sites or sold as secure options to unwitting customers. While this proxy-proliferating malware has been active since 2014, researchers are only now cracking the code and discovering the real value of these malware proxies.

Getting In

As noted by SecurityWeek, ProxyBack is distributed mainly in Europe and targets educational institutions. It’s not hard to see why; large colleges and universities often have hundreds or even thousands of Internet-connected desktops that aren’t monitored by individual users. Once infected, the computer is instructed to create a tunnel over transmission control protocol (TCP), which leads back to the attacker-controlled proxy server. Because the infected PC is responsible for establishing this connection, the attack server can send both instructions and traffic without fear of stepping on any firewalls.

Security company Palo Alto Networks suggested that up to 11,000 machines may have been compromised by ProxyBack, which are then used to funnel Web traffic onto the Internet at large. What’s more, Palo Alto detected a significant traffic increase on compromised servers but found that data through these proxies was neither anonymous nor secure.

New Approach to Proxies

In most cases, malware infections are designed to obfuscate the location of attack servers, allowing them to function as anonymous points of compromise. Not so with ProxyBack: As noted by Softpedia, infected computers are being sold as reliable proxy servers to customers in Russia by services like That service claims to have been in operation for seven years, offers between 700 and 3,000 servers each day and has rental options between four and 24 hours.

While it’s unclear if buyproxy created or distributed the malware, the use of public IP addresses and specific ID numbers generated for each infection allowed researchers to link fake proxies with advertised servers on buyproxy’s website.

This isn’t the first instance of this kind of corporatized malware. For example, the communications director of the Raspberry Pi Foundation, Liz Upton, recently received an email asking the foundation to place malware on its small controllers, which would automatically direct users to a particular website. The “business officer” reaching out was more than willing to offer money in exchange for the privilege, apparently hoping that enough cash would convince the foundation to abandon its moral compass.

Here’s the takeaway when it comes to ProxyBack: Malware creators have moved beyond a smash-and-grab mentality to one that focuses on quietly infecting systems and then using them to further seemingly legitimate business aims. In other words, desktops are quickly becoming the newest cybercriminal currency as server potential — rather than stored data — becomes the big value-add for attackers.

More from

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…