The IT criminals hide the harmful web traffic in plain sight

For years, gray market The services known as the “bullet proof” host were a key tool for the IT criminals who want to keep the web infrastructure anonymously without asking questions. But while global police climb to repress digital threats, they have developed strategies to obtain information on customers from these hosts and have increasingly targeted people behind services with accusations. At the conference focused on the Sleuthcon criminal crime in Arlington, Virginia, today, the researcher Thibault Seret has outlined how this movement has pushed both bullet proof hosting companies and criminal customers towards an alternative approach.

Instead of relying on web hosts to find ways to operate outside the scope of the police, some service providers have turned to the offer of specially built VPN and other proxy services such as a way to rotate and mask the IP addresses of the customers and offer infrastructures that intentionally do not record traffic or mix traffic from many sources together. And while the technology is not new, Seret and other researchers have underlined that the transition to use the proxy between cybercrminals in the last two years is significant.

“The problem is that it is not possible to technically distinguish which traffic in a node is bad and what traffic is good,” said Seret, a researcher at the Intelligence company of Cymru threats, Wired before his speech. “This is the magic of a proxy service: you cannot say who it is. It is good in terms of internet freedom, but it is super, super difficult to analyze what is happening and identify a bad activity.”

The main challenge of dealing with the IT criminal activity hidden by the delegates is that the services could also, even mainly, facilitate legitimate and benign traffic. The criminals and companies that do not want to lose them since customers have particularly rewritten to those who are known as “residential proxy”, a series of decentralized nodes that can work on consumer devices, also old Android or low -end Android phones, enabled the real and rotating IP addresses assigned to houses and offices. These services offer anonymity and privacy, but they can also protect harmful traffic.

By making the traffic look harmful as coming from IP addresses of the trusted consumer, the attackers make much more difficult for the scanners of organizations and other threat detection tools to identify suspicious activities. And above all, the residential proxy and other decentralized platforms that work on consumer hardware disparate reduce the intuition and control of a service provider, making it more difficult for law enforcement to obtain something useful from them.

“The attackers have increased their use of residential networks for attacks in the last two or three years,” says Ronnie Tokazowski, a long -standing digital scam researcher and co -founder of non -profit intelligence forever. “If the attackers come from the same residential ranges as, for example, of the employees of a target organization, it is more difficult to trace.”

The criminal use of delegates is not new. In 2016, for example, the United States Department of Justice said that one of the obstacles in an investigation of years on the notorious criminal criminal platform “Valanga” was the use by the service of a “rapid flow” hosting method that hid the harmful activity of the platform using the IP addresses in constant evolution. But the ascent of the proxy as a gray market service rather than something that the attackers must develop internal is an important change.

“I still don’t know how we can improve the problem of the proxy,” he told Wired the Cymru team. “I guess the police could direct well -known evil proxy suppliers as they did with bulletproof hosts. But in general, the proxy are internet services used by everyone. Even if a harmful service is eliminated, this does not solve the wider challenge.”