Bulletproof Proxy Networks: A Growing Threat to Finservs

Threat research reveals a rapidly growing number of infrastructure providers have extended anonymity and availability concepts to the delivery infrastructure required to launch automated bot attacks including against financial services.

The report “Bulletproof Proxies: The Evolving Cybercriminal Infrastructure,” from the prime threat research team at Sunnyvale, Calif.-based Cequence Security, which delivers automated software solutions to protect the web, mobile, and API services, focuses on vulnerabilities of bulletproof hosting.

Bulletproof hosting, a service offered by some domain hosting or web hosting companies, operations are similar to regular web hosting, however the services are more lenient and permit extensive flexibility to clients in the types of content they can upload and distribute.

Among the key findings in the inaugural research report:

• The use of bulletproof proxy networks to target Cequence financial services and retail customer environments increased 518% and 800% respectively between May 2019 and July 2019.
• More than 70% of the attack traffic across bulletproof proxy networks targeted mobile application endpoints. In the financial sector, roughly 79% of the attacks targeted mobile endpoints, while 19.5% spoofed web browsers (predominantly Chrome) and the remaining 1.5% used command-line tools.
• The least expensive bulletproof proxy package ($75 per month), allowed the CQ Prime team to send requests through more than 853,000 IP addresses distributed across 218 different countries. “This represents nearly 10% of their advertised network of 10 million rotating residential IP addresses. Some of the most robust providers advertise networks larger than 32 million proxies.”

“Infrastructure is a necessary component of any cyberattack campaign, and as such many cybercriminal entrepreneurs are trending towards a new type of service for attackers, which we are calling “Bulletproof Proxy,” CQ researchers said in its report. “Bulletproof proxies have taken the concepts of anonymity and availability found in bulletproof hosting and extended them to the delivery infrastructure required to launch automated bot attacks against public facing applications.”

The investigators reported attackers utilize seemingly legitimate transactions to commit automated fraud (e.g., account takeovers, credential stuffing, fake account creation, social media reputation bots, and content scraping) where scale, availability and hiding in plain sight among normal users are critical success factors.

Cequence explained the term bulletproof proxy extends from a concept well known in the security and threat research universe (but not commonly known generally): bulletproof hosting. “Bulletproof hosting services are primarily used by spammers, scammers and other bad actors to host malware, operate C2 channels (command-and-control servers), launch large scale email spam campaigns, host phishing sites, and more.”

The report added: “Bulletproof Proxies are the natural evolution of criminal infrastructure to match modern trends in both cybercriminal attacks and legitimate use of the internet. With the explosion of the app ecosystem and an internet where one seems to ‘have an account for everything,’ cybercriminals can live off this new land, with new kinds of attacks (some of which are not even strictly illegal), supported by a different kind of criminal infrastructure that matches their demands of scale and the ability to blend in with legitimate users of a service.”

Cequence noted the analysis would not be complete without an exploration on why these networks matter in the real world. “While many of the uses (both legitimate and not) for these networks can appear innocuous at first glance, this infrastructure is ripe for abuse, and defenders need to think about possible future implications of allowing these networks to grow undetected.”