Proxies, and to be more specific residential backconnect proxies, are popular by fraudsters. Why?

They are used by fraudsters to hide their own IP address. Proxy servers are used to avoid being blacklisted are easy and widely available. And who’s the victim? The real home user of the residential IP address unable to buy something for a while, brands thinking that an influencer has millions of real followers, companies paying for generated leads that are fake, paying for clicks that are fake, paying for attribution that is fake, etc., etc.

Why do fraudsters love mobile and residential proxies and specifically back connect proxies? Once you know this, you’ll realize that these proxies are the logical answer to IP blacklisting and reputation scores, which btw isn’t effective anyway.

How does it work?

In a normal situation, someone accesses the internet through their own ISP (Internet Service Provider). That’s the digital route how all their email, browser, and installed Apps communicate with the Internet. In order to communicate with external servers and other devices these applications use your public IP address, which can either be a fixed or a temporary one. This address belongs to a block of IP addresses assigned to your ISP.

Proxy servers

In case you would like to access geo-restricted content, you’re stuck! Luckily, technology provides a solution: a proxy, or a VPN, but this article focuses on proxies. A proxy is a server that sits between you and the destination you want to reach. From the destination’s point of view the traffic originates from the proxy. This enables someone in country A to access content in country B which normally is not available to country A.

When using a proxy you can go for data center proxies which will offer you a high performance and high throughput proxy and are relatively cheap. But, the IP addresses of proxy servers in a data center belong to... a data center, which is suspicious and can easily be flagged. That’s why more and more fraudsters use residential proxies, even though these are much more expensive. But, if they still make money then it’s still worth it.

Residential proxy servers

Residential proxies, as the name indicates, are devices using residential internet connections and thus traffic appears to be normal residential traffic. So, where do these residential proxies come from? These proxies are, for example, embedded in apps you have installed on your mobile phone. Wait… ? What did you say? Embedded? Yup, app creators who want to earn some extra buck will integrate an SDK (software development kit) of one of the large proxy providers in their app.

The SDK in the app enables others to use the free bandwidth on your internet connection. As mentioned before, the app creator get compensated for each monthly active user. The proxy provider charges their clients using the proxies per GByte of data. And the end user who installed the app? They need to explicitly opt-in to either: Keep ads in their app and don’t allow free bandwidth resources to be used by the app, or get the app for free and in return use the device’s free bandwidth resources.

This explains why, according to residential proxy providers, they have pools of millions of IP addresses. And reconfirms again: If an app is for free and without ads: You’re the product!

Legitimate reasons for residential and mobile proxies

The residential and mobile proxies can be used for legitimate reasons: To check whether your ads are shown in your targeted geographic location, to improve your SEO, access geo restricted content, and many more reasons.

Why fraudsters love to use residential or mobile proxies

Fraudsters use this type of proxies to appear to be normal Internet users, and thus enables them to perfectly blend in with normal users. And because of the enormous amount of available IP addresses fraudster are able to continuously rotate their IP addresses.

What can be done about this? IP reputation lists?

In order to detect proxies (and also VPN servers) some companies run portscans [1] on the Internet and look for IP addresses listening on default ports used by these services. This provides an overview where proxies are located. But, this only works with proxy servers listening to incoming connections, and not with backconnect proxies, later more on this.

When a mobile device is not connected to WiFi, it connects to the available 4G or 5G cellular network of your mobile operator. All mobile traffic is then routed through your mobile operator’s gateway to and from the Internet. Such a gateway is used by thousands of mobile users. That means if you would blacklist or lower the reputation of these IP addresses, you are affecting thousands of legitimate mobile users. So, adding these to a reputation list isn't a good idea.

Another way to create an IP address reputation list is to centrally register IP addresses associated to fraud. Once fraud has been reported, the IP address’ reputation goes down and if many organizations do this you’ll get an overview of where fraud originates from. But, unfortunately, if you are a high valuable target you’re first in row, and with millions and millions of available IP addresses, it will only provide protection against the idiot using his own IP address over and over again. Again, not such a great idea.

Backconnect proxies

Then there’s something called a backconnect proxy, which work differently. See also the illustration below. These proxies first connect to a data center (B) and the data center will use that connection to route traffic from devices like (1) to be sent to the data center (A) and again forwarded to the internet through (B) and finally to the proxy at (3). This also means the proxy only acts as a proxy when the app is connected to the data center (2). To the outside world these proxies don’t show up in regular port scans, because these devices are not listening for incoming connections.

This is great for fraudsters. Using an infrastructure like this fraudsters are able to rotate proxies for each visit. They have millions of installed apps, ehmmm proxies, -and thus IP addresses- available, and when paying a premium rate they have a very low risk of getting blacklisted. Business continuity FTW!

Any way of detecting backconnect proxies?

Browsers have feature called WebRTC (Web Real-Time Communcations) [2]. WebRTC was introduced in 2013 and allows browsers to stream files directly to one another. As WebRTC does not use browser proxies, so by default it leaks your real public IP address by connecting directly. And that’s not what fraudsters want! That’s why they use evasions in order to spoof the IP address used for WebRTC communications, and using those WebRTC simply routes the UDP traffic through the residential or mobile proxy. Another way of avoiding WebRTC leaking your real IP address is to use a proxy at the (virtual) machine level instead of the browser level. In other words: Amateurs get caught, professionals know how to avoid WebRTC leaks.

Anything else?

Yes, sure there is. The technique is called fingerprinting. It will be described in the next article, which will be about how fraudsters can be detected by fingerprinting TLS, HTTP, and the device’s characteristics and of course how fraudsters avoid being fingerprinted.

[1] https://en.wikipedia.org/wiki/Port_scanner

[2] https://en.wikipedia.org/wiki/WebRTC