Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight

For years, gray market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia today, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.

Rather than relying on web hosts to find ways of operating outside law enforcement’s reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn’t log traffic or mixes traffic from many sources together. And while the technology isn’t new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.

“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,” Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED ahead of his talk. “That’s the magic of a proxy service—you cannot tell who’s who. It’s good in terms of internet freedom, but it’s super, super tough to analyze what’s happening and identify bad activity.”

The core challenge of addressing cybercriminal activity hidden by proxies is that the services may also, even primarily, be facilitating legitimate, benign traffic. Criminals and companies that don’t want to lose them as clients have particularly been leaning on what are known as “residential proxies,” or an array of decentralized nodes that can run on consumer devices—even old Android phones or low end laptops—offering real, rotating IP addresses assigned to homes and offices. Such services offer anonymity and privacy, but can also shield malicious traffic.

By making malicious traffic look like it comes from trusted consumer IP addresses, attackers make it much more difficult for organizations’ scanners and other threat detection tools to spot suspicious activity. And, crucially, residential proxies and other decentralized platforms that run on disparate consumer hardware reduce a service provider’s insight and control, making it more difficult for law enforcement to get anything useful from them.

“Attackers have been ramping up their use of residential networks for attacks over the last two to three years,” says Ronnie Tokazowski, a longtime digital scams researcher and cofounder of the nonprofit Intelligence for Good. “If attackers are coming from the same residential ranges as, say, employees of a target organization, it’s harder to track.”

Criminal use of proxies isn’t new. In 2016, for example, the US Department of Justice said that one of the obstacles in a years-long investigation of the notorious “Avalanche” cybercriminal platform was the service’s use of a “fast-flux” hosting method that concealed the platform’s malicious activity using constantly changing proxy IP addresses. But the rise of proxies as a gray market service rather than something attackers must develop in-house is an important shift.

“I don’t know yet how we can improve the proxy issue,” Team Cymru’s Seret told WIRED. “I guess law enforcement could target known malicious proxy providers like they did with bulletproof hosts. But in general, proxies are whole internet services used by everyone. Even if you take down one malicious service, that doesn’t solve the larger challenge.”