New Phone, Who Dis?: Next Generation Bulletproof Hosting
Anybody who has ever attempted to purchase a limited release item such as tickets to ComicCon, the latest Travis Scott Air Jordan sneakers, or a newly released Apple gadget knows the disappointment of queuing up only to see a webpage showing that the item has been sold out. Online “batters” or buyers who set up automated systems in an attempt to get these limited release items with the intention of reselling them at a high markup are the scourge of online retailers. Like with many unethical, but legal, online activities that annoy legitimate purchasers, these tactics have also been applied in illegal hacking. What makes online retailed botting and illegal hacking possible, is the rise of so-called bulletproof hosting services.
Bulletproof hosting services are given the name because the hosting providers repeatedly ignore abuse claims or requests to take down offending services. Historically, bulletproof hosting services were used to host hacking tools, hacking forums, hate speech forums, child exploitation material, copyright infringement material, or used as a launch point for online attacks. Subscribers operate without impunity since hosters routinely ignore takedown requests. Traditional bulletproof hosting has an inherent weakness that the hosting services own IP address space, which can be easily blocked. If a hosting service does not take down the 4K stream of Marvel’s Avengers Endgame, an ISP can block access to the IP address range of that provider. The blocking and evasion open up a cat-and-mouse game between the bulletproof hosting providers and the parties attempting to take down the sites.
Attackers have gotten shrewder and developed the next generation of bulletproof hosting: using residential and mobile carrier IP addresses to hide their services. Residential and mobile carrier IP address are significantly more valuable because they often rotate frequently between users and ISPs and online retailers are much less likely to ban these IP addresses because a new IP address owner could be prohibited from accessing the site because the previous owner behaved poorly. This phenomenon is familiar to anyone who has received a mystery text from someone trying to reach the former number’s owner. “New phone, who dis?” Residential and mobile IP addresses are particularly useful for phishing, password spraying, retail botting, DDoS attacks, and ad click fraud.
Traditional phishing controls examine the sender’s IP address to check if it belongs to known spammers. If the IP address appears on the list, the message can be blocked or sent to the user’s spam folder. By using residential and mobile-based IP addresses, the pool of IP address is significantly more extensive and spam filters are more hesitant to block e-mail originating from these IP addresses since they could have recently changed ownership. Blocking these addresses would effectively be a detail of service for the new IP address owner. Spam filters would need to rely on something other than source IP for detection and remediation.
Password Spraying / Credential Stuffing
Citrix Systems was walloped by credential stuffing when attackers breached their systems using credential stuffing, where an attacker persistently attempts to log into a system using collected credentials and commonly used passwords until one eventually works. Typically, preventative control systems are put in place to prevent too many incorrect guesses from a single IP address then bans that IP from attempting any more login attempts. User accounts also have a lockout clipping level to lock an account out after a certain number of incorrect login attempts. Utilizing residential and mobile IP address ranges allows attackers to spray multiple login attempts though numerous IP addresses to prevent any automated systems from locking out the account or blocking the IP address. Instead of one thousand attempts coming from one IP address, attackers will perform one attempt from 1000 different IP addresses, effectively making traditional detection methods obsolete.
Retail botting hurts consumers as well as retailers. Consumers are unable to obtain their desired goods at retail price and are forced to pay exorbitant markups on the resale market. Retailers get frustrated by the resale market because customers demand that retailers take additional precautions to prevent botting in the first place. Attackers easily bypass traditional Captcha and better “Are you a human?” controls need to be implemented. Live human detection is also a cat-and-mouse game that requires a separate discussion. Retailers can quickly ban IP addresses belonging to known botters or using automated systems to detect potential abuse and bot activity. However, retailers are much less likely to ban an IP address belonging to a residential or mobile user because these IP addresses are cycled frequently. The retailer has no way of knowing when an IP address has been reassigned to lift the ban. That could potentially lead to lost revenue if a legitimate customer is not able to purchase due to the previous IP address owner’s activities.
Traditional DDoS protection services can act as a shield against potential attacks that attempt to bring a service down. The most basic form of DDoS attack is sending more requests to a resource than it can handle, causing it to crash or drop requests. Security practitioners and DDoS protection services can often see a large number of requests originating from a single IP address or a group of addresses and block or filter traffic from that source. Similar to the credential stuffing problem, generating a little bit of traffic from numerous sources could accomplish the same thing and make shutting it down much more difficult. Traffic originating from datacenter-owned IP addresses are treated differently than traffic from residential or mobile carrier IP addresses. Using a risk scoring system, it would take more risk factors to consider traffic from a residential IP address to be malicious.
Ad / Click Fraud
Click fraud has been around as long as advertisers have been offing to pay. Many, many years ago, I heard about a user in the 90’s who used a service called All Advantage, who would install an ad bar on a computer to get paid for watching advertisements. The service was heavily abused using third-party programs to launch multiple ad bars on the same machine and scripts to mimic user-generated mouse and keyboard activity. The user gets paid for each of the numerous installed ad bars and the company eventually went out of business because that model was just not sustainable. Modern-day click fraud has become much more sophisticated with fraudsters utilizing unique IP addresses to generate fake clicks or registering multiple new accounts. It would be easy for advertisers and Instagram to block access from known bulletproof hosting IP address ranges. However, advertisers and sites like Instagram and Facebook face the same problem as retailers: potentially blocking a legitimate user because an IP address switch has been made. Advertisers and account creation services are much more hesitant to block a residential or mobile carrier IP address, which makes fraud detection much more difficult.
With all of that in mind on how residential and mobile carrier IP space can be abused, it leaves the question of how attackers and abusers get ahold of the IP space in the first place. Some mobile carriers such ass Rogers in Canada offer unlimited 4G plans for around $50 a month. Rogers seems to be more legitimate than most bulletproof hosting services so takedown and shutdown requests would typically be honored. However, mobile carriers often lease IP addresses from third parties and these third parties can be tricked. This attack method was the case of Wireless Data Service Provider Corporation (WDSPC) who leased IP address space to AT&T Wireless and Verizon Wireless. WDSPC was tricked into providing an attacker with tens of thousands of IP addresses marked as mobile carrier IP space. These IP addresses were then sub-leased to attackers to perform all of the aforementioned malicious activities with practical impunity. ResNet was the biggest offender of this IP address abuse but has ceased operations after being doxxed by tech blogger Brian Krebs.
Bulletproof hosting, like most things information security, will be a constant cat-and-mouse game with escalating tensions on both sides as security researchers develop new detection methods and attackers find ways to evade them. The latest evolution in the bulletproof hosting ecosystem is to use residential and mobile carrier IP address space to make it more challenging to track down and block malicious behavior. Utilizing security controls that go beyond simple detection methods such as source IP and use more heuristics-based detection will allow organizations to stay one step ahead of the attackers until they develop effective countermeasures.