Over the years, gray Market services, known as “bullet-proof” hosts, are key tools for cybercriminals, hoping to maintain the network infrastructure anonymously without asking any questions. But as law enforcement worldwide competes for digital threats, they have developed strategies to get customer information from these hosts and increasingly target the people behind the indictment. At the Cybercrime-focused conference detective held today in Arlington, Virginia, researcher Thibault Seret outlines how this shift can push both bulletproof hosting companies and crime clients to another approach.
Rather than relying on web hosts to find ways for external law enforcement to operate, some service providers are turned to providing specially built VPNs and other proxy services as a way to spin and mask customer IP addresses and provide infrastructure that intentionally and not intentionally log in to traffic or mix many sources with many sources. Although the technology is not new, SERET and other researchers stress that over the past few years, Seret and other researchers have pointed out that the transition to using proxy on network neural networks is very important.
“The problem is, you can’t technically distinguish which traffic is bad in the node and which traffic is good,” Seret, a researcher at the Cymru team at the threat intelligence company, told Wired before his speech. “It’s the magic of proxy services – you can’t tell who is who. It’s great when it comes to internet freedom, but it’s super hard to analyze what’s going on and identify bad activity.”
The core challenge in addressing the cybercrime activity hidden by the agent is that these services may also primarily promote legitimate benign traffic. Criminals and companies that don’t want to lose them are particularly inclined to what is called “residential agents,” or a series of decentralized nodes that can run on consumer devices (even old Android phones or low-end laptops) (providing real, rotating IP addresses assigned to homes and offices). Such services provide anonymity and privacy, but can also mask malicious traffic.
By making malicious traffic appear to be coming from a trusted consumer IP address, attackers make it harder for organizations’ scanners and other threat detection tools to detect suspicious activity. And, crucially, residential agents and other decentralized platforms running on different consumer hardware reduce the insight and control of service providers, making it harder for law enforcement to get anything useful from it.
“For the past two to three years, attackers have been stepping up their use of residential networks to attack,” said Ronnie Tokazowski, a longtime digital scam researcher and co-founder of nonprofit intelligence. “If the attacker comes from the same residential range as the employees of the target organization, it is difficult to track.”
The criminal use of agents is nothing new. For example, in 2016, the U.S. Department of Justice said one of the barriers to years-long investigations into the infamous “Avalanche” cybercrime platform was the use of a “fast sublimation” hosting method that masked the platform’s malicious activity using changing proxy IP addresses. However, the rise of agents as grey market services rather than attackers must develop internally is an important shift.
“I don’t know yet how we can improve the proxy problem,” Cymru Team Seret told Wired. “I guess law enforcement can target known malicious agent providers like they do to bulletproof hosts. But overall, the agent is the entire internet service that everyone uses. Even if you cancel a malicious service, it won’t solve the bigger challenge.”
