Hide and Seek: IP Masking, Residential Proxies, and Bots

[Man]

Let's be honest: most often, cyberspace anonymization services and tools are used to hide any illegal or immoral actions, as well as access to blocked resources. IP masking and residential proxy servers are exactly the tools that allow you to hide your online activity.

It is believed that they are used mainly by various types of Internet fraudsters, including those who engage in advertising fraud. In fact, these tools are used by everyone: both beginners and advanced users. And each of them has their own goals.

Contents
1. What is IP masking?
2. Why do users need this?
3. Why do bots and attackers mask their IP?
4. How bots and scammers mask IP addresses
4.1 Residential proxy servers
4.2. VPN (Virtual Private Networks)
4.3. Botnets
4.4 TOR and browsers for anonymization
5. Why IP masking still exists
6. Why do people seek anonymity online?
7. Sneaker proxy
8. How to identify traffic with IP masking
8.1 Analyze sources
8.2 Consider the different markers
8.3 Examine IP packet headers
8.4. Be aware of distorted data
8.5 Use a comprehensive cybersecurity system for advertising or a website
9. Not by IP blocking alone

What is IP Masking​

An IP address is a unique address that identifies a device on the Internet. Masking allows you to hide it or replace it with another one. This allows users to remain anonymous on the network, hide their real location and not have their browsing and Internet activities recorded for their device.

Why do users need this?​

There are many compelling reasons to mask your addresses, primarily to preserve privacy and anonymity. It allows you to:

• hide your physical address;
• protect against the collection of personal data;
• block attempts by providers to track users' online activity;
• keep your search history safe;
• block malicious and intrusive advertising;
• Bypass censorship and geo-blocking to access content that is restricted or copyrighted in certain countries.

Everyone has their own reason for hiding their online activities.

For example, the Russian audience of the social network Instagram* (owned by Meta, which is banned in the Russian Federation) at the time of blocking in the country on March 14, 2022, was 39 million daily users. After the blocking, this number decreased slightly - to 34 million. Considering that access to the resource is limited, it is easy to guess that they use special anonymizers and other similar programs to enter the social network.

Why do bots and attackers mask their IP?​

Fraudsters abuse IP masking to hide their illegal activities. For example, in ad fraud, online form hacking, and web crawling. They use bots that can imitate human behavior, replace addresses with them, and avoid security checks.

Click farms and botnets are the main sources of traffic, so to hide the transitions from one source, attackers connect disguise. In addition, cybercriminals can use this technology to bypass IP blocking or security filters to carry out DDoS attacks on sites and servers.

How Bots and Scammers Mask IP Addresses​

Attackers can use various techniques to mask IP. Below we list the most common ones:

Residential proxy servers​

These proxies are located on the real IP address of the ISP with a very real location. Fraudsters route their traffic through these servers to hide the visits and clicks performed by bots and pass off the traffic as real.

VPN (Virtual Private Networks)​

The task of such networks is to create a virtual location with a new, unique IP address. Moreover, it is created with each connection. For example, today your location may be Holland, and tomorrow - France. This is achieved through a global server network.

Attackers often install VPNs on click farms or botnets to mass click ads. The cybersecurity service BotFAQtor analyzes thousands of clicks and, according to the collected statistics, about a quarter of the transitions use location obfuscation.

Botnets​

Fraudsters can control random devices located in different parts of the world, infect them with malware, and then use them to generate traffic to hide their location and depersonalize themselves. Since the traffic comes from private IP addresses, they are not under suspicion.

This is why such fraudulent activity is quite difficult to detect and block. In addition, even if you block one of these IP addresses, the attackers will simply replace it with one of the thousands of others in their stock.

TOR and browsers for anonymization​

TOR is a free network for anonymous communication. It hides the user's real IP address through relay nodes. Each node will only know the addresses that come before and after it, i.e. the transmitting and receiving nodes. Even if the traffic is intercepted, data analysis will not help determine the source IP address.

Why IP Masking Still Exists​

Why can't ISPs and major advertising platforms handle fraudulent traffic on their own ? It's simple: they won't be able to fully investigate such activity. The reality is that in some parts of the world, online anonymity is a luxury, but in others, it can be a necessity.

Why People Seek Anonymity Online​

Consider the anti-white paper protests in China in November 2022. The central government in Beijing banned student protesters from spreading their message online. So, to get their message out to a wider audience, the students got smarter — they used online anonymization services, including IP masking and proxy servers.

Or consider the recent events in Iran, where locals took to the streets to protest the death of a young woman at the hands of religious authorities. The Iranian government tightly controls information entering or leaving the country. News of this standoff would have been suppressed if it weren’t for the ability to remain anonymous online and share what’s happening with the rest of the world.

Take Ukraine, for example, where a system has been in operation since March of this year that collects personal data of visitors to prohibited websites. Information about visitors to such resources — time of visit, IP address, etc. — is immediately transferred to law enforcement agencies automatically.

We wrote above about the blocking of social networks Instagram and Facebook in Russia and its audience.

You see, while these technologies can be used for fraudulent purposes, they have very good purposes (political intrigue aside). That's why this technology is so widespread and why major ISPs are limited in what they can do.

Important. Proxy servers are expensive. There are no free anonymization and masking services. Any user who downloads and uses a VPN client "for free", when it is launched, opens access to their network and their IP to another such anonymous user or even to an attacker who directs traffic for click fraud attacks.

Local proxy servers are just one way users can hide their identity online. Even with ISPs helping to solve this issue, there will still be other significant vulnerabilities that they cannot address. The only more effective way is to personally monitor traffic and use special cybersecurity services such as Botfaqtor.

Sneaker proxy​

Sneaker proxies have recently become popular among sneaker lovers. These are specialized proxy servers used by fans of sneakers from popular brands such as Nike or Adidas.

During the launch of limited collections, brands set a rule: no more than one pair per person (one IP). This is how they try to prevent mass buying of goods by one user.

We wrote earlier about how scammers use grinch bots to buy up such goods and further speculate .

The acquisition of exclusive, high-demand products has led to a number of complex and creative solutions. Unfortunately, such ingenuity has turned ordinary Internet users into masters of anonymity. And these methods can now be used for malicious purposes.

How to detect IP masquerading traffic​

IP masking for ad fraud is a headache for marketers, as it allows fraudsters to hide invalid clicks from click farms and botnets. Fraudsters even go so far as to intentionally generate traffic from regions with higher click costs to increase their payouts.

Here are some tips on how to identify masked IP traffic:

Analyze sources​

The first step to combating fraudulent IP-masking is to check the domains of the traffic sources. If you see a wide geography of visits in the statistics of site or advertising campaign transitions, it is likely that you have become a victim of fraudsters. You can analyze your server logs to identify and block suspicious IP addresses.

Consider the different markers​

When blocking users, you should not consider only IP. This way, you can accidentally or mistakenly block valid traffic. After all, attackers can use botnets or a method of frequently changing IP addresses when carrying out attacks. To identify fraudulent visits, it is necessary to analyze other markers, including device ID, browser type, and behavioral patterns.

Examine IP packet headers​

It is advisable to examine packet headers for suspicious data, which contain information about the content, origin, and purpose. This will allow you to examine the technical aspect more closely and find supporting information, such as the browser type or version, the device's operating system, etc.

For example, if you see multiple visits from the same IP address in your advertising statistics, but from different devices and browsers, then the attack is most likely coming from a proxy server. You will then be able to analyze visits from all users from this IP address and collect clear signs of invalid traffic.

Be aware of distorted data​

Analyze how deeply users who visit your site depersonalize themselves. In addition to changing IP, attackers also falsify other data. This information will allow you to distinguish them from those users who simply use VPN to bypass blocking.

For example, if you see that the visit was made from a mobile device, but the packet header shows the presence of browser extensions (and they should not be on mobile devices), then you can legitimately conclude that this transition is fraudulent.

Use a comprehensive cybersecurity system for your ads or website​

If the above tips do not work for you, you do not have the knowledge, experience and time, seek help from special services for blocking malicious and fraudulent traffic. For companies that take the security of their advertising campaigns and resources seriously, a comprehensive cybersecurity platform will help automatically detect and block inappropriate traffic and provide additional information on marketing analytics.

Not by IP blocking alone​

Time will tell how these skills will be adapted beyond the sneaker-proxy environment. A new generation of internet users has already begun to change the way we view our physical landscape with new perspectives.

Can Gen Z and millennials help us find new and creative ways to use proxy technology? No doubt about it.

In the meantime, advertisers and resource owners need to look for effective ways and means to combat fraudulent traffic. Technology and creativity create a relationship of innovations that can be used for both useful and harmful purposes.

If we rely on average and old solutions that cannot accurately distinguish real traffic from bot traffic, block users only by one IP address, then we risk losing potential users and possible benefits. More sophisticated solutions are needed that will eliminate fake traffic.