Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
Security IT

Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight (wired.com) 34

Posted by msmash from the sophisticated-attacks dept.
Cybercriminals have been increasingly turning to "residential proxy" services over the past two to three years to disguise malicious web traffic as everyday online activity, according to research presented at the Sleuthcon cybercrime conference. The shift represents a response to law enforcement's growing success in targeting traditional "bulletproof" hosting services, which previously allowed criminals to maintain anonymous web infrastructure.

Residential proxies route traffic through decentralized networks running on consumer devices like old Android phones and low-end laptops, providing real IP addresses assigned to homes and offices. This approach makes malicious activity extremely difficult to detect because it appears to originate from trusted consumer locations rather than suspicious server farms. The technology creates particular challenges when attackers appear to come from the same residential IP ranges as employees of target organizations.
This discussion has been archived. No new comments can be posted.

Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight More

Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight

Comments Filter:

  • FUD (Score:5, Insightful)

    by sinij ( 911942 ) on Saturday June 07, 2025 @09:02AM (#65433879)
    This narrative is intentionally crafted to justify mass surveillance and mandatory backdoors in cryptography.

    • Re: FUD (Score:3, Informative)

      by ihavesaxwithcollies ( 10441708 )
      No different than saying were only going after the bad illegal immigrants. Anyone with half of a brain knew that was a lie. Even if they are not bad, they will still try to rig the system and charges against them. Sidenote: to trumpers all non whites are bad. Look at the Maryland citizen that was illegally deported, the charges filed against him are so utterly ridiculous, the federal prosecutor resigned rather than be apart of bondis perverted and morally repugnant right wing justice

    • Re: (Score:1)

      by Anonymous Coward
      That's not what the article is even remotely about. It's about the problem of shitty networking equipment and unruly bulletproof hosting providers. We needed cybersecurity standards for commercial products 20 years ago. We're basically allowing poison in our home networks and nobody seems to care. Imagine someone changing DNS settings on your home router and redirecting you to fake banking portals. Yes.... this happened because the routers were basically stitched together with 3 lines of code and anyone c

      • Re: (Score:3)

        by KGIII ( 973947 )

        I confess, AC, I don't even know who voted their comment up.

        I did note the 'increasingly' bit in the summary. That's because, as you know, this isn't new. Malicious actors have been doing this for a long time. They use these IPs for things like spamming, DDoS attacks, hiding traditional hacking at scale, and things like that.

        They're just doing this more often because finding reliable hosts to provide them with compromised addresses. Then again, those hosts were already using hacked residential IP addresses.

        • Re: (Score:2)

          by gweihir ( 88907 )

          And, yes, it's more difficult these days. I've been trying to find a reputable company (at a reasonable price) to just do a simple DDoS for me.

          No, not for anything illegal. I just want to test some of my own infrastructure. It has gone through a DDoS attack a couple of times and has been just fine. But, those were short-lived (under an hour) and not very impressive as far as the numbers go. I'd like to find the breaking point so that I can work on that.

          I think you are lying. A localized simulated DDoS is not hard to do and as good as the real thing. Any competent pen-testing outfit should be capable and willing.

          • Re: (Score:2)

            by KGIII ( 973947 )

            It's not local, but a pair of leased servers. It's nothing huge, or anything like that.

            I've yet to find anyone with a reasonable price. I note that you did not include a link to anyone with a reasonable price for this.

      • Re: (Score:3)

        by sinij ( 911942 )
        If the main point was about insecure consumer networking equipment then the article would have prominently mentioned that and recommended liability and mandatory certification as a solution. Instead it spoke about proxies, IP addresses, and residential traffic. They are crafting this FUD to justify further domestic monitoring, crackdown on VPNs, and possibly mandatory backdoors. They are using cybercriminals as a pretext, as the stated problem is nothing new.

        • Re: (Score:2)

          by gweihir ( 88907 )

          Indeed. The problem is insecure systems. In any other engineering discipline that gets resolved with liability and minimal standards and, if needed, people going to prison. (No, that will _not_ kill FOSS. That is just a lie.) IT just has not had its really big catastrophes yet, or rather so far they were too abstract. But the way Microsoft (and others) are going, it is just a question of time.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Indeed. The whole story is essentially nonsense. If anything, they should call for better system security. But then they would have to criticize Microsoft for its abysmally shoddy practices and pathetic security. And that cannot be.

  • Refer:
    - Reddit - r:/webscraping
    - https://www.reddit.com/r/websc... [reddit.com]
    - What are my options for proxies for webscraping?

    From 3 years ago....

    - Discussion of how to spread a web scraper load out on a larger set of IP addresses

    > 1. install tor
    > 2. start tor
    > 3. use tor as proxy on localhost at port 9150
    > https://tor.stackexchange.com/... [stackexchange.com]

  • The ways data can be hidden in plain site are virtually limitless. Obvious ones are using the least significant bit in WAV data, putting space and tab whitespace on the end of lines in plain text etc. The only limitation is the imagination of people who need to do it.

  • The shift represents a response to law enforcement's growing success in targeting traditional "bulletproof" hosting services

    Is that actually a response to law enforcement's growing success or have they simply found that using a bunch of hacked devices that companies have abandoned is a better option?

    “The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,”
    “That's the magic of a proxy service—you cannot tell who’s who. It's good in terms of internet freedom, but it's super, super tough to analyze what’s happening and identify bad activity.”
    “I don’t know yet how we can improve the proxy issue,”

    To me, it seems like it has the distinct advantage of being better suited of the purpose and addition to being beyond anyone's reach. Law enforcement may not even be a real consideration here.

    • Re: (Score:2)

      by allo ( 1728082 )

      Most are hacked servers. Do you run a webserver? Let it log when someone tries to use it as a proxy. There are A LOT of bots that try that. Have a look where the spam comes from. Almost all comes from addresses like info@webshop-foo, which are obviously just accounts on legitimate servers that were hacked because someone had a weak password. The internet is full of bots that do nothing but test if someone uses a weak password to either start spamming from their mail address, use their open proxy, or install

      • Re: (Score:2)

        by gweihir ( 88907 )

        Indeed. Crappy systems with crappy system administration. It is time that businesses become liable.

        • Re: (Score:2)

          by allo ( 1728082 )

          Too many gray areas.

          Do you have a good proof that's my server who sent the spam? Am I liable or my hoster? What about hosted mail? What about hosted homepage+mail (as secondary service), what about vservers, what about dedicated servers? Am I accountable for my weak e-mail password, or only for my weak root password? What if the password was good, but the password reset mechanism relied on stupid "What was your first dogs name" questions?

          All of that doesn't matter too much when you sent the hoster an e-mail

  • Wited discovers VPNs and Tor routing.
    Subtext: only 'cybercriminals' (child molesters!) use them.

    • Re: (Score:3)

      by Halo1 ( 136547 )

      AI scrapers use these residential proxies. It's not (just) VPNs and Tor routing. Several bottom-feeding companies openly advertise such scraping services, for pretty much any country you may want [scraperapi.com]. I administer a wiki that's been on the receiving end of such scraping, and the majority of these scraping requests are in fact coming from residential IP-addresses rather than data centers.

      I don't know whether these are hacked accounts, people getting tricked or paid to run these scraping apps on their devices, bu

  • I had to check what decade this was from. Residential proxies have been a thing long before even data centre proxies became a thing. There's a ton of companies offering this service: https://residentialproxyreview... [residentia...eviews.com] There's both ethical and unethical types of residential proxies, the ethical ones typically pay people $20 a month or so to run a proxy server in their home through companies like HoneyGain. Unethical proxies might be installed with spyware and other unwanted apps.

Slashdot Top Deals

Consider the postage stamp: its usefulness consists in the ability to stick to one thing till it gets there. -- Josh Billings

Close