How are these scammers operating from valid IPs?

Question

Lately, my website has had a lot of fraudsters signing up and getting past my security checks.

I use vpnapi.io and stopforumspam.com to vet new registrations but all of the IPs this scammer is using are coming back clean - no VPN, not a Tor exit node, no services detected.

Here's an example of all the IPs the latest scammer used:

https://whatismyipaddress.com/ip/71.205.140.174 - Comcast residential?
https://whatismyipaddress.com/ip/136.228.92.21
https://whatismyipaddress.com/ip/172.58.63.14 - T-Mobile USA, mobile?

Any idea how this scammer is relaying through these IPs? Some sort of dark Tor network or zombie net?

Every once in a while they will slip up and use their real IP in Nigeria.

Really frustrating, my users have been scammed for hundreds of dollars already.

It looks like ipdata.co might be useful, but it's not detecting any services at these addresses either.

In short: residential proxy services. See also How many IP addresses can a user have?, Why are I and other users of my ISP being used as a proxy server?, How to create a proxy so that no website or web service can know that I am connecting through a proxy? — Steffen Ullrich, Aug 02 '23 at 20:05
Surely one of the three IP quality services I'm checking would flag that IP as a proxy. It seems very unlikely that this scammer would be setting up a proxy server on dozens of different residential IPs and mobile devices, which is why I'm asking if they are purchasing a darknet service. — Skye, Aug 02 '23 at 20:16
What makes you think so? These residential proxy services are specifically designed to bypass detection. It's basically a normal browser traffic coming from a residential IP address, no different then normal innocent traffic from such an IP address. And it is not that the scammer is setting up this traffic - it simply buys the service from someone else. Please read the actual questions and answers I've linked to. — Steffen Ullrich, Aug 02 '23 at 20:18
As for ipdata.co - it might be worth reading what they write about detecting proxies and also what they don't write - https://ipdata.co/blog/what-are-proxies-and-how-can-we-detect-them/. Note at the end they write: "Due to the difficulty in reliably detecting proxies, it’s usually not worth spending much time trying to block proxies. However, some proxies will be caught ...". And they specifically don't mention residential proxies - since these are the hardest one to reliably detect because they blend in with harmless traffic and so are easy to either miss or overblock. — Steffen Ullrich, Aug 02 '23 at 20:29

How are these scammers operating from valid IPs?

0 Answers0