For years, the grey market The service known as a “bulletproof” host has been a key tool for cybercrime, trying to maintain anonymous web infrastructure without question. But as global law enforcement agencies call on cracking down on digital threats, they have developed strategies to retrieve customer information from these hosts, increasingly targeting the people behind the service in indictments. Today, at the cybercrime-centric conference Sleuthcon in Arlington, Virginia, researcher Thibault Seret outlined how this shift pushed both bulletproof hosting companies and criminal clients towards an alternative approach.
Rather than relying on web hosts to find ways to operate outside of law enforcement, some service providers have changed to offering dedicated VPNs and other proxy services as a way to rotate and mask customer IP addresses and provide infrastructure that does not intentionally log traffic or combine traffic from many sources. And while this technology is not new, Seret and other researchers have emphasized to Wired that the transition to using cybercrime proxying has been important over the past few years.
“The problem is that you can’t technically distinguish which traffic on a node is bad or which traffic is good,” Seret, a researcher at the threat intelligence company team Cymru, told Wired ahead of his speech. “It’s the magic of a proxy service. You can’t know who is who. It’s good in terms of internet freedom, but it’s very difficult to analyze what’s going on and identify bad activities.”
The central challenge of dealing with cybercriminal activities hidden by proxies is that services can primarily drive legitimate benign traffic. Criminals and businesses who don’t want to lose them as clients are particularly leaning towards what is known as “housing proxies.” This is an array of distributed nodes that can be run on consumer devices, providing actual rotating IP addresses assigned to homes and offices, even older Android phones and low-end laptops. Such services provide anonymity and privacy, but can also protect malicious traffic.
By making malicious traffic visible to trusted consumer IP addresses, attackers make it much more difficult for an organization’s scanner and other threat detection tools to find suspicious activity. And, crucially, housing commissions and other decentralized platforms running on different consumer hardware reduce service providers’ insights and control, making it more difficult for law enforcement to get something useful from them.
“Attackers have been increasing the use of residential networks for attacks over the past two to three years,” says Ronnie Tokasowski, a longtime digital fraud researcher and co-founder of nonprofit intelligence. “If the attacker comes from the same residential area as the employees of the target organization, it’s difficult to track it.”
Criminal use of proxy is not new. For example, in 2016, the US Department of Justice stated that one of the obstacles to long-standing investigations on the infamous “Avalanche” Cybercriminal platform is a service in a “first-flux” hosting method that uses constantly changing proxy IP addresses to hide malicious activity on the platform. However, the rise of proxies as grey market services is a significant change, not something that attackers have to develop in-house.
“We still don’t know how we can fix the proxy issue,” Team Cymru’s Seret told Wired. “I think law enforcement can target known malicious proxy providers, like bulletproof hosts. But generally, proxies are the whole internet service that everyone uses.
