Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight

For years, gray-market services known arsenic “bulletproof” hosts person been a cardinal instrumentality for cybercriminals looking to anonymously support web infrastructure pinch nary questions asked. But arsenic world rule enforcement scrambles to crack down connected integer threats, they person developed strategies for getting customer accusation from these hosts and person progressively targeted nan group down nan services pinch indictments. At nan cybercrime-focused convention Sleuthcon successful in Arlington, Virginia, today, interrogator Thibault Seret outlined really this displacement has pushed some bulletproof hosting companies and criminal customers toward an replacement approach.

Rather than relying connected web hosts to find ways of operating extracurricular rule enforcement's reach, immoderate work providers person turned to offering purpose-built VPNs and different proxy services arsenic a measurement of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log postulation aliases mixes postulation from galore sources together. And while nan exertion isn't new, Seret and different researchers emphasized to WIRED that nan modulation to utilizing proxies among cybercrminals complete nan past mates of years is significant.

“The rumor is, you cannot technically separate which postulation successful a node is bad and which postulation is good,” Seret, a interrogator astatine nan threat intelligence patient Team Cymru, told WIRED up of his talk. “That's nan magic of a proxy service—you cannot show who’s who. It's bully successful position of net freedom, but it's super, ace reliable to analyse what’s happening and place bad activity.”

The halfway situation of addressing cybercriminal activity hidden by proxies is that nan services whitethorn also, moreover primarily, beryllium facilitating legitimate, benign traffic. Criminals and companies that don't want to suffer them arsenic clients person peculiarly been leaning connected what are known arsenic “residential proxies,” an array of decentralized nodes that tin tally connected user devices—even aged Android phones aliases low-end laptops—offering real, rotating IP addresses assigned to homes and offices. Such services connection anonymity and privacy, but tin besides shield malicious traffic.

By making malicious postulation look for illustration it comes from trusted user IP addresses, attackers make it overmuch much difficult for organizations' scanners and different threat discovery devices to spot suspicious activity. And, crucially, residential proxies and different decentralized platforms that tally connected disparate user hardware trim a work provider's penetration and control, making it much difficult for rule enforcement to get thing useful from them.

“Attackers person been ramping up their usage of residential networks for attacks complete nan past 2 to 3 years,” says Ronnie Tokazowski, a longtime integer scams interrogator and cofounder of nan nonprofit Intelligence for Good. “If attackers are coming from nan aforesaid residential ranges as, say, labor of a target organization, it's harder to track.”

Criminal usage of proxies isn't new. In 2016, for example, nan US Department of Justice said that 1 of nan obstacles successful a years-long investigation of nan notorious “Avalanche” cybercriminal level was nan service's use of a “fast-flux” hosting method that concealed nan platform's malicious activity utilizing perpetually changing proxy IP addresses. But nan emergence of proxies arsenic a gray-market work alternatively than thing attackers must create in-house is an important shift.

“I don’t cognize yet really we tin amended nan proxy issue,” Team Cymru's Seret told WIRED. “I conjecture rule enforcement could target known malicious proxy providers for illustration they did pinch bulletproof hosts. But successful general, proxies are full net services utilized by everyone. Even if you return down 1 malicious service, that doesn't lick nan larger challenge.”