The Federal Bureau of Investigation (FBI), Defense Criminal Investigative Service (DCIS), and Department of Commerce (DOC) are publishing this announcement to notify the public of the dismantlement of the 911 S5 residential proxy service and to help individuals and businesses better understand and guard against 911 S5 proxy service and botnet. 911 S5 began operating in May 2014 and was taken offline by the administrator in July 2022 before rebranding as Cloudrouter in October 2023. 911 S5 was one of the largest residential proxy services and botnet with over 19 million compromised IP addresses in over 190 countries and confirmed victim losses in the billions of dollars.
911 S5/Cloudrouter Techniques
911 S5 provided actors access to compromised IP addresses and associated devices or machines owned by individuals and businesses by distributing malicious proxy backdoors that were built into VPN applications. Free, illegitimate VPNs were packaged within pirated video games and software that victims downloaded on devices or machines. Once the download was complete, the VPN application and proxy backdoor were both installed silently on victims' devices without their consent, unknowingly becoming a victim of the 911 S5 botnet. VPN applications that connect to the 911 S5 service are: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. The proxy backdoor enabled 911 S5 users to re-route their devices through victims' devices, allowing criminals to carry out crimes such as bomb threats, financial fraud, identity theft, child exploitation, and initial access brokering. By using a proxy backdoor, criminals made nefarious activity appear as though it was coming from the victims' devices.
Mitigations and Security
The FBI has published information at fbi.gov/911S5 to help identify and remove 911 S5's VPN applications from your devices or machines.
For organizations that employ Bring Your Own Devices (B.Y.O.D.) policies, they may have inadvertent connections to the 911 S5 proxy botnet. It is recommended that employees bringing their own devices check for any 911 S5 infection.
Tips on How to Protect Yourself
The FBI, DCIS, and DOC recommend individuals take the following precautions to protect themselves against botnets:
- Avoid untrustworthy websites and adds. Avoid downloading free software, such as the VPN applications listed above, and do not click on pop-up ads from untrusted websites. Interacting with these pages often initiates malware installation on your device.
- Ignore suspicious emails. Phishing emails are one of the top techniques used to infiltrate a device. Be leery of emails that ask you to open an attachment or follow a link.
- Use antivirus software. Antivirus software can detect and remove malware that is used to create botnets. Keep your software up to date to ensure it can detect the most recent threats.
The FBI, DCIS, and DOC recommend businesses take the following precautions to protect themselves against botnets:
- Keep software and operating systems up to date. Many botnet attacks are designed to exploit vulnerabilities in apps or software; installing updates when they become available can help prevent your device from being infected.
- Evaluate B.Y.O.D. policies. Businesses who regularly test, review, and validate their security programs against possible unwanted threats will limit the chances of employees' personal devices becoming a part of a botnet.
- Encourage strong passwords. Provide an enterprise-level password manager to create, store, and fill in passwords automatically for employees so they only have one password to remember for the password manager itself. Additionally, require employees to change default credentials on software and hardware products to prevent usernames and passwords from being exploited.
Victim Reporting and Additional Resources
If you suspect that you are a victim of the 911 S5 proxy service and botnet:
- File a complaint with the FBI Internet Crime Complaint Center (IC3), www.ic3.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; designated point of contact.
- To contact DCIS Cyber Field Office regarding information found in this PSA, please reach out to: (703) 604-8444.
- To contact DOC regarding information found in this PSA, please reach out to (800) 424-2980.