How carders use residential proxies to bypass GeoIP?

[Mutt]

For educational purposes, I will provide a detailed explanation of how carders use residential proxies to bypass GeoIP restrictions, how these proxies impersonate legitimate IP addresses, and the methods anti-fraud systems use to detect them, including ASN analysis, behavioral patterns, and Device Fingerprinting. I will also add context around carding to show how these technologies are used in fraudulent activity and explain why this is a problem for online security. However, I will emphasize that the information is provided solely for understanding the protection mechanisms.

What is carding and why are residential proxies important for it?​

Carding is a type of fraud in which criminals (carders) use stolen credit or debit card details to make unauthorized transactions, such as purchasing goods, withdrawing funds, or creating fake accounts. The main goal of the carder is to hide their real identity and location in order to avoid detection and blocking by payment systems, online stores, and law enforcement agencies.

Residential proxies play a key role in carding, as they allow you to disguise your real IP address as the IP address of a legitimate user, making the carder's actions look like those of a regular client. This is especially important for bypassing GeoIP restrictions, which are used to verify that the user's location matches the card data or other criteria.

What are residential proxies?​

Residential proxies are proxy servers that use IP addresses allocated by Internet service providers (ISPs) to real users, such as home Wi-Fi owners, mobile devices, or other connected devices. These IP addresses are associated with real physical devices, rather than server infrastructures, as is the case with data center proxies.

How do residential proxies work?​

1. IP Pooling: Proxy providers collect IP addresses from users who voluntarily (often for a small fee) provide access to their devices through special software or applications (such as "traffic money" apps).
2. Traffic redirection: When a carder uses a residential proxy, its internet traffic is redirected through one of the devices in the pool. External systems (such as the store's website) see the IP address of this device, not the carder.
3. Geographical flexibility: Residential proxies allow you to choose IP addresses from specific countries, regions, or even cities, making them ideal for bypassing geographic restrictions.

Why are Residential Proxies Popular Among Carders?​

• Authenticity: IP addresses appear to belong to real users, making them less likely to be blocked.
• Scalability: Access to millions of IP addresses allows carders to quickly change addresses while avoiding detection.
• Bypassing filters: Unlike data center proxies, which are easily identified due to their affiliation with server networks, residential proxies are more difficult to distinguish from regular user traffic.

How do carders use residential proxies to bypass GeoIP?​

GeoIP is a technology that matches an IP address with a geographic location (country, region, city). Payment systems and online stores use GeoIP to check whether the user's location matches map data or other parameters (e.g., shipping address). Carders use residential proxies to bypass these checks as follows:

1. Location camouflage:
   • If a carder uses a stolen US-issued card but is located in Eastern Europe, for example, they can use a residential proxy with an IP address from the US. This creates the illusion that the transaction is being made from the same country where the card was issued, reducing the likelihood of suspicion.
   • Example: A carder from Russia purchases goods from an American online store using a residential proxy with an IP from California to match the card data.
2. Creating multiple accounts:
   • Carders often create hundreds of fake accounts on platforms (e.g. Amazon, PayPal) to test cards or launder funds. Residential proxies allow each account to have a unique IP address, making it less likely that they will be linked to each other.
3. Testing cards:
   • Carders often check the validity of stolen cards by making small transactions (e.g., a $1 purchase). Using residential proxies allows these attempts to be distributed across different IP addresses to avoid being blocked for suspicious activity.
4. Bypassing blacklists:
   • If the carder's IP address is blacklisted by a store or payment system, he can instantly switch to another IP from the pool of residential proxies, continuing his activities.

How do residential proxies impersonate legitimate IPs?​

Residential proxies simulate legitimate IP addresses by using the following characteristics:

1. ISP Affiliation:
   • Residential proxy IP addresses are allocated by ISPs that serve real users (e.g. Comcast, Verizon, Vodafone), making them indistinguishable from IP addresses used by regular customers.
2. Geographic accuracy:
   • Proxy providers provide IP addresses that are tied to specific regions. For example, a carder might choose an IP from New York to match the cardholder's address.
3. Dynamic IP:
   • Many residential proxies use dynamic IP addresses that change regularly (for example, when the router is rebooted or the mobile connection is changed). This makes their behavior similar to that of real users.
4. No obvious signs of servers:
   • Unlike data center proxies, which often have identifying markers (such as being from AWS or other cloud providers), residential proxies do not have such markers, making them difficult to identify.

How do antifraud systems detect residential proxies?​

Despite the difficulty of detecting residential proxies, modern antifraud systems use a comprehensive approach to identify them. Here are the main methods:

1. ASN (Autonomous System Number) Analysis​

• What is ASN? ASN is a unique identifier of an autonomous system (network) that manages a group of IP addresses. Each ISP or proxy provider has its own ASN.
• How is it used? Anti-fraud systems check the ASN of an IP address to determine whether it belongs to a provider associated with residential proxies. Some proxy pools use a limited number of networks, and if IP addresses from a certain ASN often appear in fraudulent operations, they are marked as suspicious.
• Example: If multiple transactions from IP addresses belonging to the same ASN exhibit anomalous behavior (e.g. card testing), the system may suspect the use of residential proxies.
• Limitations: Some large ISPs (eg AT&T) serve both real users and proxy pools, making it difficult to determine exactly.

2. Analysis of behavioral patterns​

Anti-fraud systems monitor user behavior to identify anomalies that may indicate proxy use. Key signs:

• Transaction frequency and volume:
  • Carders often make many small transactions or test cards at high frequency. If one IP address generates an unusually large number of requests, this raises suspicion.
  • Example: If dozens of payment attempts are made from one IP address within an hour using different cards, this may be a sign of carding.
• Data inconsistency:
  • Anti-fraud systems compare GeoIP data with other parameters, such as browser language, time zone or delivery address. If the IP is from the USA, but the browser is set to Russian or the time zone is set to Asia, this raises alarm.
• IP change speed:
  • Carders often change IP addresses to avoid being blocked. If the system notices that the user switches between IP addresses from different regions in a short time (for example, USA → Germany → Brazil in 10 minutes), this indicates the use of a proxy.
• Navigation patterns:
  • Carders can use automated scripts to create accounts or make purchases in bulk. Anti-fraud systems analyze click times, page scrolling, and other actions to distinguish between a human and a bot.

3. Device Fingerprinting​

Device Fingerprinting is a technology that collects unique characteristics of a user's device and browser to create a "digital fingerprint". This helps to identify proxy usage even when IP addresses change. Key parameters:

• Device specifications:
  • Operating system (e.g. Windows 10, macOS).
  • Browser version (eg Chrome 120).
  • Screen resolution, fonts, installed plugins, WebGL settings.
• Network parameters:
  • Time zone, system language, WebRTC settings.
  • Network connection latency, which may indicate the use of a proxy.
• How does this work?
  • If multiple transactions from different IP addresses have the same digital fingerprint (e.g. same browser version, screen resolution and settings), this indicates that a proxy is being used by a single device.
  • Example: A carder uses residential proxies to create 10 accounts on a website. All accounts have different IPs but the same device fingerprint (e.g. Chrome 120 on Windows 10 with a resolution of 1920x1080). The anti-fraud system notices this and blocks the accounts.
• WebRTC and data leaks:
  • WebRTC (a technology for transmitting data in real time) can reveal the user's real IP address, even if a proxy is used. Anti-fraud systems check whether WebRTC is enabled and compare its data with the proxy's IP address.

4. Additional detection methods​

• Proxy databases:
  • Anti-fraud companies (e.g. MaxMind, IP2Location) maintain databases of IP addresses associated with residential proxies. These databases are updated based on the analysis of fraudulent activity.
  • If an IP address appears in such a database, it is marked as potentially suspicious.
• Machine Learning and AI:
  • Machine learning algorithms analyze huge amounts of data (IP addresses, behavior, device fingerprints) to identify complex fraud patterns. For example, the system might notice that a certain IP address is being used to test cards on multiple sites.
• TLS/SSL verification:
  • Anti-fraud systems analyze TLS handshakes (e.g. cipher order or certificates) to detect proxy or VPN-related anomalies.
• HTTP Headers Analysis:
  • Proxies can leave traces in HTTP headers (for example, "X-Forwarded-For"). Anti-fraud systems check these headers for inconsistencies.

Why are residential proxies harder to detect?​

1. IP pool scale:
   • Proxy providers offer millions of IP addresses, making them almost impossible to block. For example, services like Luminati (Bright Data) or Oxylabs have access to tens of millions of IPs.
2. Real devices:
   • Since the IP addresses belong to real devices, they do not have the obvious attributes of servers like data center proxies.
3. Dynamic IP change:
   • Carders can change IP addresses every few minutes, making them difficult to track.
4. Difficulty of identification:
   • Even if an IP address is marked as suspicious, blocking a residential IP may affect real users, which makes anti-fraud systems cautious.

How do carders adapt to anti-fraud systems?​

Carders are constantly improving their methods to bypass anti-fraud systems:

1. Using "clean" proxies:
   • Carders buy access to new or rarely used residential proxies that have not yet been blacklisted.
2. Imitation of behavior:
   • Carders use scripts that simulate the behavior of a real user (for example, random clicks, page scrolling, delays between actions).
3. Changing device fingerprints:
   • Tools for counterfeiting digital fingerprints are used, such as changing browser parameters (User-Agent, fonts, screen resolution) through emulators or anti-detection browsers (for example, Multilogin, AntiDetect).
4. Mobile proxies:
   • Mobile residential proxies (IPs from mobile operators) are considered even more difficult to detect, as they change frequently and belong to real devices.

How are antifraud systems being improved?​

1. Multivariate analysis:
   • Combining GeoIP, ASN, behavioral data and digital fingerprints to create more accurate fraud models.
2. AI and Machine Learning:
   • AI algorithms are trained on huge amounts of data to detect even complex patterns, such as the use of new proxy pools.
3. Real time:
   • Anti-fraud systems analyze transactions in real time, allowing you to instantly block suspicious actions.
4. Cooperation:
   • Companies share data on fraudulent activity (e.g. through IP databases or platforms like FraudNet), which helps identify proxies faster.

Conclusion​

Residential proxies are a powerful tool for carders to bypass GeoIP restrictions and disguise fraudulent activity as legitimate users. They use real IP addresses allocated by ISPs, making them difficult to detect. However, anti-fraud systems are improving, using ASN analysis, behavioral patterns, Device Fingerprinting and other methods to detect suspicious activity. Carders, in turn, are adapting, using new proxies, anti-detect browsers and complex schemes.

For educational purposes, it is important to understand how these technologies work in order to develop more effective protection measures. Online stores and payment systems should invest in modern anti-fraud solutions, including AI and multi-factor analysis, to minimize the risk of fraud. At the same time, users should be aware of the risks of providing their IP addresses to proxy pools, as this can facilitate illegal activity.

If you have any additional questions or want to go deeper into any aspect (for example, specific anti-fraud systems or carder methods), let me know!