The concept of Bulletproof Hosting is relatively well known in the security universe. These services allow customers to upload and distribute malware, illegal pornography, manage phishing sites, and host other well-known security threats. From the perspective of an attacker, a good Bulletproof Hosting service will:
- Provide anonymity and protection from prying eyes of law enforcement. This can include being located in countries and jurisdictions that will not comply with law enforcement in the victim countries.
- Be obscure enough to the general public, such that IP blocks will not be “polluted” by low-level criminal/spam operations resulting in the wholesale blacklisting of their IP ranges by most defenders.
- Be resilient to downtime. This could come in the form of downtime due to de-peering of an ASN or de-listing an IP block, as well as DDoS attacks on the servers in use. A Bulletproof Hosting service must be able to minimize downtime for their clients because margins in the hosting business are relatively thin.
Bulletproof Hosting services are key for cybercriminal activities like enabling malware C2, or hosting a phishing domain, all while maintaining safety and anonymity for the bad actor. To launch automated business logic abuse attacks such as account take overs/credential stuffing and fake account creation, bad actors require an infrastructure that provides the same safety and anonymity traits found in Bulletproof Hosting, but also provides global scalability.
To fulfill these new infrastructure requirements, bad actors have created Bulletproof Proxies, a sophisticated infrastructure that builds upon the anonymity concepts of Bulletproof Hosting, yet is tailored to large scale, automated attacks. Bulletproof Proxy networks include millions of globally distributed residential IP addresses, often marketed under the pretenses of being used for legitimate purposes like avoiding censorship or benign crawling, while at the same time turning a blind eye to potentially malicious use. These networks compete against one another for their share of adversarial buyers through different pricing strategies and techniques to build up a network that is both the “easiest to use” and “most difficult to detect”. The combination of these elements makes it easy for bad actors to launch sophisticated attacks on public facing web, mobile and API-based application.
Bulletproof Proxy providers allow users to select a proxy package from their country(s) of choice, with IP blocks distributed across many ASNs, organizations and ISPs to avoid any kind of network-based blacklisting by the victim. When used in an attack, Bulletproof Proxies provide a series of options similar to a robust consumer VPN network, however even more exclusive than many widely available commercial VPNs. For example, an attack targeting a US-based retailer would choose a US-based residential proxy package as opposed to a package from a country where it does not do business. This allows the attack to blend in to normal traffic more completely.
The inaugural research report, Bulletproof Proxies: The Evolving Cybercriminal Infrastructure is based on the CQ Prime analysis of automated malicious bot campaigns targeting three industry verticals, where Bulletproof Proxies were used extensively to maintain anonymity and distribute the attacks across millions of high reputation, residential IP addresses (such as routers, refrigerators, IoT devices, garage door motors, and others). The report maps attack patterns observed within our customer base to one of the leading Bullet Proof Proxy providers. Among the key findings highlighted in the CQ Prime inaugural research report:
- The least expensive Bulletproof Proxy package allowed the CQ Prime team to send requests through more than 853,000 IPs that were distributed across 218 different countries. Some of the most robust providers advertise networks larger than 32 million IP addresses distributed globally;
- Attacks emanating from Bulletproof Proxy networks targeting Cequence financial services and retail customer environments increased 518% and 800% respectively between Q1-Q2 2019; and
- More than 70% of the attack traffic across Bulletproof Proxy networks targeted mobile endpoints.
The analysis of Bulletproof Proxies would not be complete without an exploration of why the abuse coming from these networks matters in the real world. While many of the uses (both legitimate and not) for these networks can appear innocuous at first glance, this infrastructure is ripe for abuse, and increasing awareness will both help defenders improve detection, and increase preparation for possible unforeseen cases of abuse.