In the realm of cybercrime, a notable shift is occurring as crooks increasingly utilize "residential proxy" services to disguise malicious web traffic as normal internet activity. These gray-market tools, historically dubbed “bulletproof” hosting, enable criminal enterprises to maintain their digital infrastructure while evading scrutiny from law enforcement. This trend was highlighted at the cybercrime conference Sleuthcon by researcher Thibault Seret.
As global authorities ramp up efforts to combat digital threats, targeting not only the criminals but also the service providers supporting them, many cybercriminals are adapting their approach. Instead of relying solely on traditional web hosts, they are turning to specialized virtual private networks (VPNs) and other proxy services designed to rotate and mask IP addresses. These services often either don’t log user data or aggregate traffic from numerous sources, complicating detection efforts.
Seret, associated with Team Cymru, pointed out the intrinsic challenge of discerning harmful traffic within legitimate data streams. The use of proxies obscures the origins of malicious activities, rendering traditional detection methods less effective. "You cannot tell who’s who. It’s good in terms of internet freedom, but it complicates analyzing and identifying bad activity," Selzer explained.
The adoption of residential proxies has surged, particularly those utilizing decentralized computing resources, such as idle home devices. This strategy allows attackers to route their malicious activity through everyday consumer IP addresses, making it significantly harder for organizations to identify and intercept fraudulent behavior. “If attackers are coming from the same residential ranges as employees of a target organization, it’s harder to track,” noted Ronnie Tokazowski, a digital scams researcher.
Historically, the use of proxies in cybercrime isn’t new; the Department of Justice cited their role in obscuring the notorious "Avalanche" criminal platform during a lengthy investigation back in 2016. However, this recent transformation, with proxies becoming readily available as a gray-market service, presents novel challenges for law enforcement.
Seret advocates for continued targeting of known malicious proxy providers, similar to approaches taken with bulletproof hosts. Nevertheless, he acknowledges the pervasive nature of proxy services, which complicate the task beyond addressing individual malicious entities. As cybercriminals refine their tactics, the struggle to identify and combat their activities grows ever more intricate.
