MY TAKE: Here’s how ‘bulletproof proxies’ help criminals put compromised IoT devices to work

Between Q1 2019 and Q2 2019, malicious communications emanating from residential IP addresses in the U.S. – namely smart refrigerators, garage doors, home routers and the like – nearly quadrupled for the retail and financial services sectors.

Related: How botnets gave Trump 6 million faked followers

To put it plainly, this represented a spike in cyber attacks bouncing through ordinary Internet-connected devices humming away in homes across America. These attacks were carried out by cyber criminals leveraging an insidious new attack tool: bulletproof proxies.

What were they up to? IoT devices are proving to be an integral element for cyber criminals to launch automated attack campaigns to manipulate social media likes, create fake accounts, take over existing accounts, execute credential stuffing, content scraping, click fraud and carry out other cyber villainy.

This stunning intel comes in a study from Cequence Security, a Sunnyvale, CA-based vendor focused on helping companies defend against such attacks. These findings have huge implications, not just highlighting what a huge drain botnets have become to our Internet-centric economy, but also underscoring how botnets have become a disruptive force in political discourse, globally.

I had a deep discussion about this with Cequence’s Will Glazier, head of research, and Matt Keil, director of product marketing, at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. My big takeaways:

Bulletproof weaponry

Back in 2007, a noted fellow journalist, Brian Krebs, exposed how the Russian Business Network had pioneered something called “bulletproof hosting.” RBN provided web hosting services to one-and-all, and then looked the other way as spammers, fraudsters and even child pornography distributors did their thing, operating their botnets with impunity.

Just the other day, Krebs broke another story about what he’s calling “bulletproof residential VPN services.” And Cequence has done deep analysis on “bulletproof proxies” — the latest, greatest iteration of bulletproof hosting. Instead of building out and hosting a server farm that can be isolated and potentially shut down by law enforcement, bulletproof proxy providers today assemble millions of globally distributed IP addresses and make those available to one-and-all.

Crucially, the availability of an endless supply of IP addresses reinforces the viability of botnets. (A bot is a computing nodule, and a botnet is a network of nodules under control of the botnet master.) The fact that botnet nodules today increasingly spin out of residential IP addresses is significant for two reasons:

•Companies like Comcast, AT&T, Bell, Virgin, Vodafone, have a very low incentive to cut off any residential IP addresses since it just might be a real customer ready to make a purchase.

•Bulletproof proxy providers are known to be very lenient about what proxies are actually used for, not to mention they wouldn’t give law enforcement the time of day.

The result is what we see taking place in the Internet wild today. Cequence recently compiled a report about this, based on the malicious traffic it detects and deflects on behalf of its customers. Key findings:

•Attacks from US residential proxies increased 361% between Q1 2019 and Q2 2019.

•Across US-based financial services companies, attacks from bulletproof proxies spiked 518% between Q1 2019 and Q2 2019.

•In the same time frame, US-based retail companies experienced roughly an 800% spike.


“Why would anyone need a network of 30 million U.S. residential IP addresses?” Glazier asked me. “It’s because scale is hugely important in these attacks. Over the course of a week, it enables the attackers to send a million different log-in requests, from a million different IP addresses. That makes their attack really hard to

Abusing business logic

The rise of bulletproof proxies has led to a blossoming of fresh money-making capers. These scams all tend to revolve around abusing the fundamental business logic built into the core applications that drive e-commerce, Keil told me.

Inventory spinning, for instance, has taken on an art form, thanks to the availability of bulletproof proxies. Attackers will use a fake or compromised account to, say, purchase an airline ticket, which they’ll place in their shopping cart, but not check out. They’ll then attempt to sell that ticket for a higher price through another service. Much the same thing is being done, at scale, for high-end, high-demand sneakers, Keil says.

Doing this manually would be tedious, of course, and most likely prove futile. But automating the process, and repeating log-in and transaction attempts thousands of times, is proving to be successful and profitable, judging from the rising levels of inventory spinning Cequence is detecting.


“It’s a perpetuating problem,” Keil says. “The attackers are very committed. Think about this, if you have 100,000 user credentials and you get a .01 response rate, you’re going to be able make money. And so the attackers will retool on a regular basis, often times stringing the attack out over long periods of time to more effectively hide in plain sight.”

Cyber criminals worth their salt can routinely earn between $1,000 and $3,000 a month, and the elite ones can take home $20,000 a month or more. We know this from the Inside the Mind of a Cybercrimal survey conducted by Andrei Barysevich, director of advanced collection at Recorded Future.

“There’s a reason why cyber criminals are going to this level of automation and sophistication: they can make money, they can make a lot of money,” Keil says.“It’s a big business.”

Disinformation waves coming

It’s tempting to dismiss the potential revenue loss to inventory spinning as the online merchants’ cost of doing business. But consider what could happen if a threat actor decided to game the market for prescription drugs, such as insulin, or try to foment chaos in US financial markets.


The world has already experienced what it’s like to have a nation-state operative proactively influence elections by deploying botnets to bury the truth and spread propaganda. For instance, this study by researchers at Oxford University concluded that botnets played a “strategic role” in the social media discussion leading up to Britons voting in favor of Brexit.

And in the 2016 US elections, botnets fueled combative tweeting, helped to push out wildly conflicting polling results, and factored into the hacking of the Democratic party’s emails. Botnets also facilitated the creation of millions of faked Twitter followers for Donald Trump.

“A very popular story line from the past, is the news around the election — about faked accounts, artificially liking, sharing and distributing content, and using bots to manipulate people’s impression of that content,” Glazier says. “So that’s going to happen again, for sure. It’s already starting.”

I agree with Glazier. Clearly, bulletproof proxies are giving the operators of criminal botnets more flexibility and power than ever. This foreshadows slicker disinformation campaigns to come — and continued manipulation of public opinion according to narrow political agendas.

Yes, it is encouraging that Cequence and numerous others in the cybersecurity field are innovating on a number of fronts to help enterprises, one-on-one, better defend their networks against relentlessly advancing botnets. But that’s like plugging one leak at a time in a dike that’s riddled with stress fractures.

Ultimately, the telecoms and the tech giants must do a lot more to bake-in technologies that can stop this at the Internet traffic level. The sooner they get around to it, the better off we’ll all be. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: