5 December 2023
On 30th of October (10:51am UTC), the Philippine news site Rappler received more than 40 Million requests to the their home page during less than one hour. Rappler is the Philippines’ leading digital media company that is driven by uncompromising journalism, founded by 2021 Nobel Peace Prize laureate Maria Ressa in 2012.
The goal of this investigation was to determine which infrastructure had been used to conduct the attacks against Rappler. The investigation was made by processing 90GB of access log data shared by the victim. The traces lead us directly to two well known actors in the lucrative and shady proxy industry, FineProxy and RayoByte.
The report focuses on exposing unique details of FineProxy, a proxy infrastructure that has been involved in numerous DDoS attacks against Qurium-hosted organizations, and that has been a subject to our investigation for several years.
RayoByte and FineProxy provide proxy services for web scraping and automation and both of their infrastructure are currently part of a pay-as-you-go DDOS service.
Both actors show little interest to solve the issue that DDoS attacks are sourced from their proxy infrastructure. Instead, they have offered Qurium to block traffic from their service towards our hosted organizations – while others may be DDoSed at any time – as a way to discourage us to continue investigating them.
FineProxy has also offered Qurium the name of the client that conducts DDoS attacks from their infrastructure, with the condition on Qurium to take down all forensic reports involving their name.
Proxy infrastructure used to conduct attacks
The first flood started at 10.51 AM and lasted one minute. During the first minute of the attack 20.000 requests/second where sent to the website. After that first attempt, at least six more different attacks were launched within the following hour. At peak, the DDOS attack reached 250.000 requests/second when during just two minutes close to 26 million requests were sent to the website.
Left: Traffic peaks during the DDoS attack against Rappler. Right: Attack traffic originated in the data center infrastructure of two proxy provide
In order to break down the analysis, we decided to classify each of the IP addresses that flooded the website based on their traffic speed and infrastructure location. Although the majority of the requests were coming from residential or mobile connections, we could identify 10% of the IP addresses originated from data centers.
Next, we selected the attack traffic at peak time (11:29-11:30) and sampled the data in one second periods. The analysis allowed us to see different distinctive autonomous systems involved in the DDOS attack and how the floods switched from AS397630 (BlazingSEO) to AS55286 (Server-Mania) after 30 seconds.
The following table summarizes our findings:
Autonomous System | Name | Ownership/founder | Role | Proxy Provider |
---|---|---|---|---|
35624 | Silverstar Invest Limited | Alexei Filippenko,Ilya Trusov Igorevych | Partner and IP Provider | Fineproxy |
35830 | BTT Group Finance | Alexei Filippenko,Ilya Trusov Igorevych | Partner and IP Provider | Fineproxy |
51765 | Oy Crea Nova Hosting Solution Ltd | Niko Viskari, Ilya V Kudryavtsev | Hosting Provider | Fineproxy |
26548 | PUREVOLTAGE-INC | Jake Terepocki | Hosting Provider | Fineproxy |
14576 | HOSTING-SOLUTIONS (EE) | Kingservers – Infantica,Vladimir Fomenko | Hosting Provider | Fineproxy |
54252 | SP-NYJ | Neil Emeigh | Proxy Provider | RayoByte |
55081 | 24SHELLS | Tushit Shah | Partner | RayoByte |
397630 | AS-BLAZINGSEO | Neil Emeigh | Proxy Provider | RayoByte |
55286 | SERVER-MANIA | Kevin Blanchard | Partner | RayoByte |
Proxy providers attempt to silence the whistleblower
Qurium’s investigation has identified two proxy providers that are likely part of a pay-as-you-go service designed to conduct denial of service attacks: Rayobyte Sprious LLC (US) and Fineproxy/Quality Network (RU, EE, US).
Both proxy providers have been approached several times by Qurium to inform them that a DDoS service operates within their infrastructure. Despite our reports, none of the providers have managed to stop the use of their proxy service to conduct denial of service attacks. As a way to “mitigate the problem” both Rayobyte and Fineproxy have asked Qurium to provide a list of our hosted organizations so they can ensure that they will not become victims of DDoS again in the future. Clever isn’t it?, if Qurium’s clients are no longer victims, there will be no more forensics reports revealing their malicious practices!
FineProxy even went one step further to silence Qurium. In an email exchange with Ilya Trusov CEO of FineProxy in late October 2023, we were offered to reveal the name of the customer that was responsible for the DDOS attacks. The condition to receive the customer’s information was to remove all articles about their proxy service from Qurium’s website.
Let’s take a closer look at FineProxy and RayoByte.
PROXY PROVIDER 1: FINEPROXY
FineProxy is a Russian proxy provider funded in Kaluga specialized in providing SEO services including click-fraud, web scraping and automation of creation and management of social media accounts (aka bots) etc. Some of the tools supported by their proxy service include XseoN, Xrumer, UBot, ScrapeBox, Gscraper, GSA SER, Socialhammer, ZennoPoster, etc.
FineProxy has been in operations since at least 2011 via the Russian company Region40. Qurium has since 2018 mitigated and documented dozens of denial of service attacks launched from FineProxy’s infrastructure.
The following section will take you for a deep dive into the the history of FineProxy and its allies. Keep an aye on the timeline below to follow the story.
The origins of Fineproxy
The origins of FineProxy can be traced back to 2009 to itservices{.}su, an online business specialized in SEO Hosting where Ilya Trusov Igorevych, (iluxa85) one of the founders of FineProxy, started his career. In those days, Ilya was selling proxies under the name “proxyelite.ru” with the help of Ivan Lukichev in searchengines.guru forums.
The proxy business started in Kaluga (Russia) under the legal setup of Region40 LLC back in 2011. At that time, Fineproxy operated their proxy services from the data center Depo40 (Depo Data Center) using third party providers such as Atomhost (UA) or Petersburg Internet Network (RU).
According to registration information, Region40 LLC is run by:
- Ilya Trusov (18-3-1995)
- Dmitry Masyutin
- Philip Petukhov
- Vladimir Izvekov
- Alexey Filippenko
Region40 LLC combined the skills of Alexei Filippenko that worked building physical infrastructure and fiber networks with the know-how of Trusov and Lukichev who had experience with SEO services and the use of proxy services.
Taking advantage of Ivan Lukichev moving to Thailand, FineProxy started to forward Paypal payments for their proxy services overseas.
From Russia to Europe
In 2016, Region40 LLC and Depo Data Center (Depo40) had been flagged as a bullet proof proxy provider by the threat intelligence community and their networks were in all spam databases.
To shake off the bad reputation that had become a burden to their proxy service (Fine Proxy), they re-branded their business to gain distance from the Russian Region40 LLC and their shady Depo40 Data Center.
Region40 continued their infrastructure building business in Kaluga region rebranded as “HiNet” (ООО ХАЙНЕТ) but the proxy service (FineProxy) was moved outside of Russia. Ilya Trusov set up Quality Network in Estonia and moved the proxy infrastructure that was running until then mainly in Russia and Ukraine inside Europe.
To scale up and expand the proxy service, two things were needed
- more IP networks to scale up the proxy service
- access to a data center to announce the prefixes
Obtaining IP space via IP harvesting
To obtain new IP networks, Ilya (iluxa85) started by registering several companies in Estonia and used them to obtain new fresh networks from RIPE.
Meanwhile, Trusov’s business partner Alexei Filippenko registered dozens of companies in the United Kingdom, United States and South Africa to gain access to different regional registrars:
Company | Country | Registrar | Owner |
---|---|---|---|
Traffic Transit Solutions LLC | US | ARIN | Alexei Filippenko |
Fine Group Servers Solutions LLC | US | ARIN | Alexei Filippenko |
Security Servers LLC | US | ARIN | Alexei Filippenko |
Fast Servers | ZA | AFRINIC | Alexei Filippenko |
Africa Fast CDN | ZA | AFRINIC | Alexei Filippenko |
Silverstar Invest Limited | UK | AFRINIC | Alexei Filippenko |
Blockchain Network Solutions Ltd | UK | AFRINIC | Alexei Filippenko |
FITZ ISP Ltd | UK | AFRINIC | Alexei Filippenko |
Traffic Transit Solution LLC | US | ARIN | Ilia Trusov |
Quality Network OÜ | EE | RIPE | Ilia Trusov |
FineGroupFinance OÜ | EE | RIPE | Ilia Trusov |
FineTransit OÜ | EE | RIPE | Ilia Trusov |
IPTransitEE OÜ | EE | RIPE | Ilia Trusov |
CloudHost | RU | RIPE | Fast Telecom LLC |
CloudVPS | RU | RIPE | Fast Telecom LLC |
FastVPS | RU | RIPE | Fast Telecom LLC |
FreeData | RU | RIPE | Fast Telecom LLC |
IPLab | RU | RIPE | Fast Telecom LLC |
IPService | RU | RIPE | Fast Telecom LLC |
TrustHost LLC. | RU | RIPE | Fast Telecom LLC |
Not satisfied with the new networks and hungry for more IP space, Fineproxy decided to lease IP space from Fast Telecom LLC. Fast Telecom’s founders Aleksey Bulgakov (now Alex Largman after change of surname) and his partner Nikolaeva Ekaterina Sergeevna obtained new fresh networks by creating dozens of LLC entities in Russia. Once the networks (IP space) were obtained from RIPE, the companies were shut down and the IP space was transferred to the mother-ship: Fast Telecom LLC.
Moving hosting location out of Russia
With access to thousands of IP addresses, Fineproxy partnered in Estonia with Roman Jevstafjev and Jevgeni Fanfora that operated UGB Hosting (aka FairyHosting, Roman Hosting, Clickhost.ru) to run their networks. For that operation, Fineproxy started to trade their services using their recently registered Estonian company Quality Network OU (2015).
Faking the geo-location of their networks
During several years, Fineproxy operated the vast majority of their networks from Estonia but faced the challenge to offer a global proxy service when the bulk of their networks were all associated to one single country. Fineproxy solved the problem by faking the geo-location by associating different country locations to each of their networks and publishing them in the RIPE database. Providers of geolocation services such as Maxmind trusted those “geographical declarations” and Fineproxy sold proxies from dozens of countries while all the traffic was sourced from Narva, Estonia.
Moving out of Estonia
Soon after the Russian invasion of Ukraine in February 2022, FineProxy initiated one more strategical move. To protect their assets, Russian ownership of companies in Estonia were transferred to the former board member Borislav Mikijelj (Montenegro) and a new legal entity Fast Servers OU was established. Note how the old email and web address of Quality networks were kept in the new company registration!
.
The operation from UGB Hosting in Narva, Estonia, was abruptly canceled in early February 2022 and networks were transferred to several friendly providers including: King Servers B.V. (aka Infatica) run by Russian Vladimir Fomenko, Oy Crea Nova Hosting Solutions run by Niko Viskari and Jake Terepocki’s Pure Voltage.
ASN | Country | Contact Domain | Contact Person |
AS14576 | RU/NL | king-servers{.}com | Vladimir Fomenko |
AS26548 | US | purevoltage{.}com | Jake Terepocki |
AS35830 | US/NL | bttgroup{.}uk | Alexei Filippenko |
AS43444 | US/NL | blockchainnetworksolutions.co{.}uk | Alexei Filippenko |
AS51765 | FI | creanova{.}org | Niko Viskari |
Moving the networks before the war started
When we followed the path that the IP networks followed in early February 2022, we found out that the some of the networks were transferred to Moldovan registered AS43624 PQ HOSTING S.R.L (2) and Dutch registered MIRhosting BV (Andrey Nesterenko). Soon after many of these prefixes were transferred to US registered: AS26548 Pure Voltage.
PROXY PROVIDER 2: RAYOBYTE
The second proxy provider involved in the attacks is the Nebraska-based Sprious LLC operating the brand Rayobyte proxy service. Sprious LLC is run by Neil Emeigh, who proudly claims to operate a so called “ethical proxy provider” with “high ethical standards”.
The attacks against Rappler.com originated from several data center proxies hosted in autonomous systems directly associated to Sprious: AS-BLAZINGSEO, SP-NYJ and AS-SPRIO.
To operate the proxy infrastructure Rayobyte has established partnerships with other hosting and proxy providers. One of those providers is “SEO friendly” B2 Net Solutions Inc (aka Servermania).
The story of Rayobyte is tightly connected to the background of its founder Neil Emeigh (born 1993). As a teenager, Neil gained experience in the “search engine optimization” scene participating in forums like “Warrior or Black Hat Forums” using the nicks of swords, swords12, googleboy507 and pointblank507.
In 2011, Neil could be found (video1, video2) advertising “scrapebox.com” a multi-purpose tool capable of spamming forums that he licensed in his mother’s name. The tool provided means to discover proxies from forums, run scheduled spam campaigns, flood sites with backlinks, etc.
During this learning time Neil promoted tools like “GSA Search Engine Ranker”, a tool specialized to spam websites with backlinks to improve Google Rankings and became an affiliate of Solid Proxies, a proxy service and hosting provider specialized in the use of “GSA SER” and the offering of VPSs to SEOs (slrhosting{.}com).
To gain online presence as an expert, Neil (swords) started the companies BanditIM LLC and Roqet Marketing LLC to promote his expertise in SEO forums such as blackhat, warrior, gsa-online.
Some of the websites run by Neil included:
- roqetmarketing{.}com
- scraperbandit{.}com
- typecaptchas{.}com
- banditim{.}com
- scraperbandit{.}org
- netbacklinkscheduler{.}com
- commentbandit{.}com
- captchabandit{.}com
- zonbandit{.}com
Between 2012-2015 Neil run BanditIM LLC while completing his B.A. studies in Computer Science at the University of Nebraska at Kearney.
After finishing University, Neil started BlazingSEO LLC his own proxy service and Scraping Robot, LLC, a data scraping software solutions for its costumers. In 2022, BlazingSEO was rebranded to Rayobyte under the new company Sprious LLC.
The promise of ethical proxies
What makes Rayobyte a special actor in the field of dodgy proxy providers, is its promise to be an “ethical proxy provider” and its ultimate commitment to the “highest ethical standards”.
Faking geo-location
In the recent investigation “Rayobyte infrastructure enabling DDoS attacks” published in September 2023, Qurium and Mybroadband exposed the use of fake geolocations in the networks advertised by Sprious LLC previously leased from IP leasing provider Cloud Innovation.
In an e-mail exchange in early October 2023, Sprious LLC, denied any wrong doing and accused Qurium of publishing incorrect information.
Evidence collected in August 2023 from Maxmind website suggested otherwise as we discovered dozens of fake geo-locations associated to networks advertised by Rayobyte.
Similar to Fineproxy, Rayobyte has reported bogus geo-locations of their networks to make their proxy service more attractive. Some of this bogus geolocations were reported in the name of Emeigh Investments LLC, EGI Hosting and Africa-on-Cloud.
More evidence can be found in a series of posts (2) in Blackhat Forums, where Neil using his alias swords12, stating:
We are able to get proxies from ANY country now, it just takes 1-5 weeks for geo-location databases (such as Maxmind) to update their databases to reflect these geo-location changes to the IPs.
Another highlight of “high ethical standards” can be found in “gsa-online” forum (2) (3) where Neil explains that he provides thousands of mail accounts from Yahoo with a subscription of 15 USD.
The use of Sprious as a proxy provider to conduct web spam campaigns can be seen monitoring one of the autonomous systems associated with Sprious: AS397630
More information about RayoByte can be found in Qurium’s investigation Rayobyte infrastructure enabling DDoS attacks from September 2023.
Conclusions
The result of our investigation shows how two different proxy providers form part of an infrastructure of a Denial of Service “pay-as-you-go” service.
Both proxy providers have tampered with geolocation objects to associate their data center networks to parts of the world where they have no physical presence to satisfy the requirements of their clients.
When Qurium has reported malicious behavior coming from their networks, both FineProxy and RayoByte have taken similar approaches, such as blacklisting the domain of the victim and refusing to help identifying the customer behind the DDoS service.
Proxy providers such as RayoByte and FineProxy have designed their infrastructures with almost unlimited number of connections or threads to provide their customers with the ability of automating tasks such as scraping or flooding sites with backlinks at very high speeds. When the priority is to serve customers with abusing SEO practices, it is not a surprise that their infrastructures are also used to conduct Denial of Service attacks.
Sheltering and protecting users that conduct malicious activities is a way to gain trust from current and future clients that engage in unethical online businesses.
Rappler is the latest victim of FineProxy and RayoByte’s lack of business ethics and unfortunately it will not be the last.