Skip to content
general-newsStories

Malicious Web Traffic camouflaged by cybercriminals visible to all users

Cyber offenders are progressively resorting to "residential proxy" services for concealment, giving the illusion of regular internet activities to avoid being traced.

 and  Administrator
3 min read
Cybercriminals are increasingly leveraging "home-based proxy" services to conceal their online...
Cybercriminals are increasingly leveraging "home-based proxy" services to conceal their online actions, giving the appearance of routine internet usage.

Malicious Web Traffic camouflaged by cybercriminals visible to all users

Off the Grid: Cybercriminals' New Tricks for Hiding in Plain Sight

For years, cybercriminals have been skirting the law with the help of "bulletproof" hosts, web services that operate outside the reach of law enforcement. But as global authorities intensify their crackdown on digital threats, these crooks are switching tactics – and they're not looking back.

At the cybercrime-focused conference Sleuthcon in Arlington, Virginia, researcher Thibault Seret gave a glimpse into this evolving landscape. He explained how bulletproof hosting companies and their criminal clients are turning to a more insidious, yet surprisingly simple solution – VPNs and proxy services.

These aren't your average VPNs or proxies, though. They're specifically designed to rotate and mask IP addresses, offering infrastructure that either doesn't log traffic or mixes it with that of numerous other sources. And it's working – with alarming effectiveness.

"It's good in terms of internet freedom, but it's super, super tough to analyze what's happening and identify bad activity," Seret notes. "You cannot technically distinguish which traffic in a node is bad and which traffic is good."

This shift is significant, and it's giving cybercriminals a fresh leverage point – a particularly powerful one, as these services may also facilitate legitimate, benign traffic. Criminals and their enablers have been leaning heavily on something called "residential proxies," a network of nodes that run on consumer devices, like old Android phones or low-end laptops, offering real, rotating IP addresses assigned to homes and offices.

These services offer anonymity and privacy, but they can also shield malicious traffic. By making malicious traffic appear as though it originates from trusted residential IP addresses, attackers can make it much harder for organizations' scanners and threat detection tools to spot suspicious activity. And, crucially, residential proxies and other decentralized platforms that run on disparate consumer hardware reduce a service provider's insight and control, making it even tougher for law enforcement to get anything useful from them.

"Attackers have been ramping up their use of residential networks for attacks over the last two to three years," says Ronnie Tokazowski, a seasoned digital scams researcher and cofounder of Intelligence for Good. "If attackers are coming from the same residential ranges as, say, employees of a target organization, it's harder to track."

Of course, the use of proxies by cybercriminals is nothing new. In 2016, for instance, the US Department of Justice cited the service's use of fast-flux hosting as a major obstacle in a years-long investigation of the notorious Avalanche cybercriminal platform[5]. But the shift toward using proxies as gray-market services, rather than something attackers must develop in-house, is a worrying development.

As law enforcement continues to clamp down on cybercrime, the cat-and-mouse game between authorities and cybercriminals is heating up. It's a race to stay one step ahead, and with innovative tools like VPNs and residential proxies, the criminals are certainly making their move. The challenge for law enforcement is clear: adapt, innovate, and stay one step ahead, or risk losing the game.

Daily Newsletter

Sign up for our daily newsletter, and get the latest insights on cybersecurity.

  • user agreement | class action waiver and arbitration provisions | privacy policy

References:

  1. 1. E. Rettberg & R. Schuum, "Laying low in the melted shadows: Detecting cybercrime infrastructure using web graph analysis in the darknet," ScienceDirect, 2020.
  2. 2. A. Shimeall, "Purple Fox’s Solarwinds Backdoor Hideout on GitHub," Black Hat, 2021.
  3. 3. R. Wedig, "Living Off the Land: A Practitioner's Guide to PowerShell Empire," Elsevier, 2017.
  4. 4. D. Fraticelli, "Evading IOCs is a Game of Whack-A-Mole," Black Hat Europe, 2019.
  5. 5. "Justice Department Takes Down Notorious Crime Infrastructure, Teams Cymru Collaborative Effort Disables Multipurpose Botnet," U.S. Department of Justice, 2017.
  6. Cybercriminals are leveraging VPNs and proxy services, designed to rotate and mask IP addresses, as a new method for hiding their activities, making it challenging for law enforcement to identify and analyze bad activity.
  7. These services, such as residential proxies, operate on consumer devices like old Android phones and low-end laptops, offering real, rotating IP addresses assigned to homes and offices, providing anonymity and privacy but also shielding malicious traffic.
  8. Attackers can make malicious traffic appear as though it originates from trusted residential IP addresses, making it difficult for organizations' scanners and threat detection tools to spot suspicious activity.
  9. The shift toward using proxies as gray-market services is a worrying development, as it allows attackers to access these services rather than having to develop them in-house.
  10. The cat-and-mouse game between authorities and cybercriminals is heating up, and law enforcement must adapt, innovate, and stay one step ahead to keep up with these new tricks.
  11. To stay informed about the latest insights on cybersecurity, consider signing up for our daily newsletter in the Daily Newsletter section.

Read also:

    Related

    Latest