Cybercriminals Opt for Proxy Services as Law Enforcement Cracks Down

A Shift in Cybercrime Infrastructure

In recent years, gray-market services commonly referred to as "bulletproof" hosts have been pivotal for cybercriminals aiming to maintain their web infrastructure with anonymity. However, as global law enforcement intensifies its efforts to combat digital threats, strategies to extract customer information from these hosts are evolving. Increasingly, authorities are targeting individuals behind these services with indictments.

The Rise of Proxy Services

During the cybercrime-centric conference Sleuthcon held in Arlington, Virginia, researcher Thibault Seret presented insights on how this law enforcement crackdown has transformed both bulletproof hosting companies and their criminal clientele. A notable trend is the pivot towards purpose-built Virtual Private Networks (VPNs) and additional proxy services designed to obscure and rotate customer IP addresses.

Seret, a researcher at the threat intelligence firm Team Cymru, emphasized the significance of this shift. “You cannot technically distinguish which traffic in a node is bad and which is good,” he stated, highlighting the nuanced challenges posed by proxy services. This level of anonymity complicates threat analysis, making it harder for authorities to identify malicious activities.

The Unique Challenges of Proxies

The primary difficulty in tackling cybercriminal actions sustained by proxies lies in their dual nature: while these services often facilitate illicit activities, they simultaneously support legitimate traffic. Many criminals and their service providers are increasingly adopting "residential proxies," a network of decentralized nodes that can function on everyday consumer devices, ranging from older Android smartphones to low-end laptops. These proxies use genuine, rotating IP addresses linked to homes and offices.

By masking malicious traffic under the guise of trusted consumer IP addresses, cybercriminals hinder organizations’ ability to detect suspicious activities using standard scanning tools. Furthermore, the decentralized infrastructure relies on varying consumer hardware, complicating law enforcement’s ability to gather pertinent intelligence.

Increasing Use of Residential Networks

Researcher Ronnie Tokazowski, a co-founder of the nonprofit Intelligence for Good, noted a significant uptick in the use of residential networks for attacks over the past few years. “If attackers are accessing systems from the same residential IP ranges as employees of a targeted organization, it becomes considerably more challenging to track them,” he explained.

The utilization of proxies for illicit purposes is not a novel concept. In 2016, the U.S. Department of Justice encountered considerable challenges in investigating the "Avalanche" cybercriminal network, primarily due to its implementation of a “fast-flux” hosting approach that obscured malicious activities with ever-changing proxy IP addresses. However, the emergence of proxy services as a gray-market option represents a critical development.

Navigating Future Challenges

Despite the growing reliance on proxies among criminal organizations, Seret expressed uncertainty regarding effective solutions to this issue. “Law enforcement could target known malicious proxy providers just as they did with bulletproof hosts. Nevertheless, proxies serve broader internet functions, utilized by various users. Disabling one nefarious service does not address the overarching challenge,” he concluded.

As the landscape of cybercrime continues to evolve, both law enforcement and cybersecurity experts must adapt to these shifting tactics to safeguard digital environments effectively.