

Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight (wired.com) 17
Cybercriminals have been increasingly turning to "residential proxy" services over the past two to three years to disguise malicious web traffic as everyday online activity, according to research presented at the Sleuthcon cybercrime conference. The shift represents a response to law enforcement's growing success in targeting traditional "bulletproof" hosting services, which previously allowed criminals to maintain anonymous web infrastructure.
Residential proxies route traffic through decentralized networks running on consumer devices like old Android phones and low-end laptops, providing real IP addresses assigned to homes and offices. This approach makes malicious activity extremely difficult to detect because it appears to originate from trusted consumer locations rather than suspicious server farms. The technology creates particular challenges when attackers appear to come from the same residential IP ranges as employees of target organizations.
Residential proxies route traffic through decentralized networks running on consumer devices like old Android phones and low-end laptops, providing real IP addresses assigned to homes and offices. This approach makes malicious activity extremely difficult to detect because it appears to originate from trusted consumer locations rather than suspicious server farms. The technology creates particular challenges when attackers appear to come from the same residential IP ranges as employees of target organizations.
FUD (Score:5, Insightful)
Re: FUD (Score:3, Informative)
Re: (Score:2)
Let's be real: to trumpers, all immigrants are bad. Trump himself has said so.
Re: (Score:2)
Re: (Score:2)
I confess, AC, I don't even know who voted their comment up.
I did note the 'increasingly' bit in the summary. That's because, as you know, this isn't new. Malicious actors have been doing this for a long time. They use these IPs for things like spamming, DDoS attacks, hiding traditional hacking at scale, and things like that.
They're just doing this more often because finding reliable hosts to provide them with compromised addresses. Then again, those hosts were already using hacked residential IP addresses.
Re: (Score:2)
:Look up webscraping... (Score:2)
Refer:
- Reddit - r:/webscraping
- https://www.reddit.com/r/websc... [reddit.com]
- What are my options for proxies for webscraping?
From 3 years ago....
- Discussion of how to spread a web scraper load out on a larger set of IP addresses
> 1. install tor
> 2. start tor
> 3. use tor as proxy on localhost at port 9150
> https://tor.stackexchange.com/... [stackexchange.com]
Can be Summarized in 3 Words (Score:2)
Steganography (Score:2)
The ways data can be hidden in plain site are virtually limitless. Obvious ones are using the least significant bit in WAV data, putting space and tab whitespace on the end of lines in plain text etc. The only limitation is the imagination of people who need to do it.
Is it? (Score:2)
The shift represents a response to law enforcement's growing success in targeting traditional "bulletproof" hosting services
Is that actually a response to law enforcement's growing success or have they simply found that using a bunch of hacked devices that companies have abandoned is a better option?
“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,”
“That's the magic of a proxy service—you cannot tell who’s who. It's good in terms of internet freedom, but it's super, super tough to analyze what’s happening and identify bad activity.”
“I don’t know yet how we can improve the proxy issue,”
To me, it seems like it has the distinct advantage of being better suited of the purpose and addition to being beyond anyone's reach. Law enforcement may not even be a real consideration here.
Re: (Score:2)
Most are hacked servers. Do you run a webserver? Let it log when someone tries to use it as a proxy. There are A LOT of bots that try that. Have a look where the spam comes from. Almost all comes from addresses like info@webshop-foo, which are obviously just accounts on legitimate servers that were hacked because someone had a weak password. The internet is full of bots that do nothing but test if someone uses a weak password to either start spamming from their mail address, use their open proxy, or install
News flash, subtext (Score:2)
Wited discovers VPNs and Tor routing.
Subtext: only 'cybercriminals' (child molesters!) use them.
Re: (Score:2)
AI scrapers use these residential proxies. It's not (just) VPNs and Tor routing. Several bottom-feeding companies openly advertise such scraping services, for pretty much any country you may want [scraperapi.com]. I administer a wiki that's been on the receiving end of such scraping, and the majority of these scraping requests are in fact coming from residential IP-addresses rather than data centers.
I don't know whether these are hacked accounts, people getting tricked or paid to run these scraping apps on their devices, bu