CP
cyberpings
Threat IntelHIGH

Residential Proxies - Evaded IP Reputation Checks in 78% of Sessions

Featured image for Residential Proxies - Evaded IP Reputation Checks in 78% of Sessions
BCBleepingComputer·Reporting by Bill Toulas
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Updated:
🎯

Basically, residential proxies are making it hard to tell attackers from regular users online.

Quick Summary

A new study reveals that residential proxies evade IP reputation checks in 78% of cases, complicating cybersecurity efforts. This issue affects many organizations, making them vulnerable to attacks. Experts recommend focusing on behavioral patterns for better defense strategies.

What Happened

Researchers from GreyNoise have uncovered a troubling trend: residential proxies used to route malicious traffic are evading IP reputation checks in 78% of analyzed sessions. This revelation comes from a study examining 4 billion sessions over a three-month period, highlighting a significant challenge for cybersecurity defenses.

Who's Affected

The findings indicate that 39% of the sessions appear to originate from home networks, likely due to the use of residential proxies. These proxies complicate the ability of IP reputation systems to distinguish between legitimate users and attackers, making it difficult for organizations to protect themselves effectively.

What Data Was Exposed

The research reveals that 89.7% of residential IPs involved in malicious activities are active for less than a month. Only a small fraction manage to persist longer, often specializing in specific types of attacks. The data shows that most residential IPs are used only once or twice before being rotated out, making them nearly invisible to traditional detection methods.

What You Should Do

To combat this evolving threat, experts recommend shifting focus from relying solely on IP reputation to analyzing behavioral patterns. Here are some suggested actions:

  • Detect sequential probing from rotating residential IPs.
  • Block clearly illegitimate protocols, such as SMB, in ISP spaces.
  • Implement tracking of device fingerprints that can survive IP changes.

The Threat

The study highlights that residential proxies are primarily sourced from IoT botnets and infected computers. The proxies often originate from SDKs in free VPNs and ad blockers, which can inadvertently enroll user devices into bandwidth-selling schemes. This creates a complex ecosystem that attackers exploit.

Who's Behind It

Major contributors to this proxy traffic include countries like China, India, and Brazil. The traffic patterns follow human behavior, dropping significantly at night when most users turn off their devices. This human-like traffic behavior helps attackers evade detection.

Tactics & Techniques

Attackers utilize these residential proxies mainly for network scanning and reconnaissance, with only a tiny fraction involved in direct exploits. This tactic of using residential IPs adds a layer of stealth to their operations, allowing them to blend in with legitimate traffic.

Defensive Measures

Given the resilience of residential proxy networks, as evidenced by the recent disruption of IPIDEA, organizations must adapt their strategies. Even after significant disruptions, demand for proxies remains high, with other networks quickly filling the gap. Cybersecurity teams should prioritize behavioral analysis and adapt their defenses accordingly to stay ahead of these evolving tactics.

🔒 Pro insight: The reliance on IP reputation is outdated; organizations must pivot to behavior-based detection to counteract the stealth of residential proxies.

Original article from

BCBleepingComputer· Bill Toulas
Read Full Article

Also covered by

SCSC Media

Residential proxies undermine IP reputation systems, researchers warn

Read Article

Share

Related Pings

MEDIUMThreat Intel

Researchers Roast Cybercriminals to Diminish Their Glamour

Researchers are roasting cybercriminals to diminish their glamor. This humorous approach aims to expose their failures and fracture trust within criminal networks. It's a fresh take on cybersecurity, focusing on education and awareness.

The Register Security·
HIGHThreat Intel

Node.js Maintainers Targeted - Sophisticated Social Engineering Scheme

A coordinated social engineering scheme is targeting Node.js developers, risking the integrity of widely used software packages. This alarming trend highlights the need for vigilance in the open-source community.

Cyber Security News·
HIGHThreat Intel

Transparent Tribe Targets India's Startup Ecosystem - New Threat

Acronis reveals that Transparent Tribe is now targeting India's startup sector, especially cybersecurity firms. This shift raises concerns about espionage and data security risks. Startups must bolster their defenses against these sophisticated attacks.

CyberWire Daily·
HIGHThreat Intel

Gaming Industry - High-Stakes Cybersecurity Threats Explained

Cybercriminals are increasingly targeting the gaming industry, driven by financial transactions and sensitive data. As casinos go digital, understanding these threats is vital for operators to safeguard their assets.

Cyber Security News·
HIGHThreat Intel

China-Linked TA416 Targets European Governments with Phishing

TA416, a China-aligned threat actor, is targeting European governments with sophisticated phishing campaigns using PlugX malware. This poses significant risks to diplomatic security. Stay informed to safeguard your organization.

The Hacker News·
HIGHThreat Intel

Spear-Phishing Campaign Neutralizes MFA for Executives

A new spear-phishing campaign is targeting senior executives, neutralizing MFA protections. This poses serious risks to corporate security. Organizations must enhance their defenses against such sophisticated threats.

SC Media·