5 December 2023
7 min read
With shady VPNs and proxies, fraudsters can hide who the IP address belongs, their true geographic location, and repeated attempts, allowing them to commit fraud without being caught. Residential proxies, which are particularly popular in this context, refer to compromised devices owned by 'clean' internet users who are unaware their device is used for malicious activities. Fraudsters mask their identities and true locations behind the victim’s device - a practice facilitated by professional services offering a vast range of proxies and VPNs for sale.
There are four key types of proxy services commonly used in fraud as well.
Datacenter proxies are the most basic type. They are commercially assigned to servers and are not affiliated with any Internet Service Provider (ISP). Because they are often flagged due to high bot likelihood and are typically shared among multiple users, they are at high risk of being blocked.
Residential proxies are assigned by ISPs. They are useful for fraudsters as they mimic human IPs, hence have a lower risk of being flagged.
Static Residential Proxies are a hybrid between datacenter and residential proxies. These proxies are recommended for tasks that require maintaining long sessions and circumventing captcha or anti-bot systems.
Mobile proxies are provided by mobile service providers. They have a low risk of being blocked because they’re not tied to a single user, as they are dynamically assigned to those within a cell tower's range.
Fraudsters commonly exploit VPNs and proxies to hide their geo-location to commit various types of fraud. From here, more large-scale fraud types develop, such as account takeovers, account opening fraud, payment fraud, and even specialized, such as web scraping, account farming, price or inventory manipulation, and compliance breaches. Let's take a look at the most prominent ones.
Fraudsters need to mimic the real account holder's behavior close to perfection to avoid being flagged by risk detection software. By keeping the real users' attributes close to match, such as the IP address, fraudsters have enough time to explore the newly grabbed account. Why a shady VPN is useful for the fraudsters here? Because it can get an IP from the victim’s general area, and it can also hide their tracks.
Fraudsters use synthetic IDs, so they need IP addresses to spoof their real ones. For creating one or multiple accounts that act independently of each other, fraudsters mask their actual IP address to make every account appear as if it is set up by a different individual from a different location. Also, most platforms restrict the number of accounts that can be created per IP address to prevent spamming, so fraudsters need to bypass this limitation by using a different IP address for each account. A hard-to-detect VPN or proxy will do the job.
This fraudulent step marks the point where the fraudster gains control and is poised to spend the legitimate user's money. To avoid being detected, fraudsters are using a VPN connection to 'warm up the shop'. They try to impersonate the victim's behavior as much as possible, not only by keeping consistent shopping patterns but also by using an IP address from the victim's area and a spoofed browser so they can easily blend in.
Online platforms often offer bonuses, promotional offers, and discounts to attract new customers or to keep existing ones engaged. Fraudsters use VPNs and proxies to exploit these offers, a practice often referred to as bonus hunting or promo abuse. By hiding their real identity and location, fraudsters can sign up for the same promotional offers multiple times, breaking the typical 'one-per-customer' rule.
While there are legitimate reasons for web scraping, such as data analysis and data-driven decision-making, it can also be used with malicious intent. Websites can detect and ban IP addresses that show bot-like behavior, such as rapid, repeated requests. By using a VPN or proxy, a fraudster can easily switch to a different IP address and continue scraping even after a ban. To scrape large amounts of data without being detected, fraudsters distribute their requests across many different IP addresses. This reduces the load on each IP and makes the scraping activity appear more like typical, human-led browsing.
To counter bot attacks, websites or apps block suspicious IP addresses, so fraudsters are looking to replace blocked IP addresses with new ones, continuing the attack uninterrupted and orchestrating distributed bot attacks from many locations at once. Certain VPNs and proxies, especially residential IP addresses, can make bot traffic appear as human users. This helps the bots bypass security measures implemented to stop them, allowing the attack to proceed undetected.
Bots are also used in credential stuffing attacks, where cybercriminals use stolen or leaked credentials from one site to access accounts on others. With many users reusing passwords across platforms, providing stolen credentials often grants fraudsters full account access.
To detect shady VPN or proxy connections, we rely on behavioral analysis rather than static data, and instead of depending solely on outdated lists, we focus on real-time behavior. What does it mean to you? Even if a compromised device was recently added to the proxy server, we can recognize it and stop fraudulent activities occurring on your website and app with the highest precision in a matter of seconds. In essence, you can stay ahead of evolving threats and ensure your platform has a high level of protection against emerging risks, even if they arise from the most recent, previously undetected sources.
VPN and proxy detection is part of a large suite of risks we detect.
If you'd like to learn more about how we can detect and block fraud on your website and app with the Behavioral VPN tool, contact us, and we'll show you exactly how.
Would you like to learn more about how our risk detection system can help your business effectively stamp out fraud without causing online friction? Let us show you how.
