I was browsing some “recently shared” search queries on Shodan this morning and stumbled upon one for Zoom, which yielded some very interesting results.
One great feature that Shodan offers to analyze search results is the ability to drill down by country and even city. In this case, I took a closer look at the “top cities” for this particular search query.
The entry for “Dulles” stood out to me as Dulles, Virginia is known for having numerous and substantially-sized data centers due to its proximity to Washington, DC and much of the Federal government’s operations. Standing out in the crowd nearly right away is an endpoint showing indicators of some sort of VMware application.
Drilling down further into this host shows that it was, indeed, a VMware ESXi virtual machine hypervisor that Shodan detected. This IP address also maps back to an entity named “Zoom Proxies,” where a quick search found that there is not an association with the Zoom Communications video conferencing company.
A second host with the same indicators was found under a neighboring IP address (216.115.185.163).
Having found the assignee for these addresses and taking a look at the owner’s provided services, it is presumed that the suspect VMware systems are installed on dedicated server instances leased from Greybeard. Taking a closer look at the organization listed on Shodan leads us to the Zoom Proxies site page.
After looking through a few of the pages, it’s my guess that these folks provide purchasing automation for the buying of items from commerce sites (like Shopify, Supreme, etc., as listed on their site). Perhaps these solutions allow an individual to spawn multiple instances of “proxy purchasers” (okay, let’s just call them what they are: bots) to quickly capture limited edition items (see YeezySupply, Adidas, and Supreme), or in this case, a possible focus on limited edition shoes. Other indicators of this are things like “10 GBPS PORT SPEED,” “100% CLEAN IP[s],” and of course the direct references to the ability to work with Shopify, Supreme, and so on. Oh, and it was worth seeing where their main home page/storefront was being served from:
Anyway, just a friendly reminder to make sure you’re not making yourself *too* available on the Internet.