Our HoneyPoint sensors have been picking up quite a large number of scans for open proxies lately. As usual, much of this traffic is originating in China, where open proxies are used for a number of reasons from spam to political activity to simple uncensored Internet access.
Interestingly, we are seeing a pretty decent increase in the number of probes for open web proxies using a site called www.loanscandyloans.com as the target. This site, owned by a person in China and hosted in the US seems to be a front site with the main purpose of simply hosting a set of PHP scripts used to verify open proxies and other connections.
Quick Google searches about LoansCandy reveal a short history of scans, probes and semi-malicious activity. Likely, the site is used simply as a collection point for the data and offers little else in real terms. However, it might be wise for organizations to consider blocking any connections to the site, just in case open relays or proxies might be present in their environment.
HoneyPoint has been an essential part of MSI’s infosec intelligence program and continues to prove itself an amazing tool for threat analysis on Internet or internal networks. We continually monitor several HoneyPoint deployments around the world for interesting activity and attacker trends. Look for us to share more data from our captures in the future.