Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight

For years, the gray market The services known as the “Bulletproof” hosts were a major tool for electronic criminals who are looking to maintain the unknown webon infrastructure without asking any questions. But with the global law enforcement to abandon digital threats, they developed strategies to obtain customer information from these hosts and targeted people behind the services with increasingly accusation regulations. At the Sleutecon conference that focuses on online crime in Arlington, Virginia, today, researcher Thebolt Serit explained how this shift pushed bullet hosting companies and criminal customers towards an alternative approach.

Instead of relying on the web hosts to find ways to work out of law enforcement, some service providers have turned into the provision of VPNS designed for this purpose and other agent services as a means of recycling and hiding IP addresses to customers and providing infrastructure that does not intentionally record traffic or mix traffic from many sources together. Although this technology is not new, Seret and other researchers have emphasized that the transition to the use of agents between the Cirrat over the past two years is important.

“The problem is that you cannot technically distinguish any traffic in the knot and any good traffic,” Sierrit, a researcher at the threat company at team Cymru, told WIRED before his speech. “This is the magic of an agent service – you cannot know who it is. It’s good in terms of Internet freedom, but it is very difficult to analyze what is happening and determine bad activity.”

The primary challenge of treating electronic thermal activity hidden by agents is that services may also be, even primarily, to facilitate the legitimate legitimate traffic. Criminals and companies that do not want to lose them because customers were particularly inclined to what is known as “residential agents”, a group of decentralized contracts that can work on consumer devices-even old Android phones or low laptops-which depend on real IP addresses and a home and viewer. These services provide anonymity and privacy, but they can also protect harmful traffic.

By making the malicious traffic seem to come from IP addresses for trusted consumers, attackers make more difficult on the traffic scanners and tools for discovering other threats to discover suspicious activity. More importantly, residential agents and other decentralized platforms that work on different consumer devices reduce the vision and monitoring of the service provider, which makes it difficult to implement the law to obtain anything useful from them.

“The attackers have intensified their use of residential networks of attacks over the past two years to three years,” says Rooney Tokazovsky, a long -term digital fraud researcher and founder of non -profit intelligence. “If the attackers come from the same residential domains, for example, targeted organized organizers, it is difficult to follow.”

Criminal use of agents is not new. In 2016, for example, the US Department of Justice said that one of the obstacles that lasted for a year that lasted on the reputable “ice collapse” platform was the use of the service to host the “rapid flow” method that hidden the activity of the fierce platform using constantly changing proxy proxy addresses. But the ascension of agents as a gray market service instead of something that the attackers should develop at home is an important shift.

“I don’t know how we can improve the agent’s case,” Serit said the Team Cymru team. “I think law enforcement can target well -known malicious agent service providers as they did with a gunfire host. But in general, agents are complete internet services that everyone uses. Even if you download one harmful service, this does not solve the biggest challenge.”