MaxMind GeoIP2 in Proxy Detection: Its Role in Anti-Fraud Systems and Carding Protection

[Student]

Introduction​

In the context of carding — the practice of stealing and illegally using credit cards for fraudulent transactions — tools like MaxMind GeoIP2 play a critical role in fraud detection systems. Carding often relies on anonymizing technologies like proxies, VPNs, and private relays (e.g., iCloud Private Relay) to obscure the attacker's true location and bypass geographic restrictions of payment systems. GeoIP2 provides detailed geolocation and IP address metadata, helping to identify such attempts.

This educational overview explains how GeoIP2 works in proxy detection, with a focus on iCloud Private Relay, and why it leads to a higher fraud score (e.g., +20 points). We'll explore the mechanisms, carding examples, and evasion/defense strategies to understand the balance between user privacy and business security. Important: This information is intended solely for educational purposes to raise cybersecurity awareness and does not encourage illegal activity.

What is carding and the role of proxies in it?​

Carding is a form of financial fraud in which criminals (carders) use stolen card details (number, CVV, expiration date) for purchases, withdrawals, or validity testing. According to industry reports (such as those from LexisNexis Risk Solutions), carding results in billions of dollars in losses annually, with the highest incidence in e-commerce.

Proxies and anonymizers are key tools for carders:

• IP Masking: Carders connect through proxies (HTTP/SOCKS), VPNs (NordVPN, ExpressVPN) or relays so that the IP address points to a "safe" location (e.g. the card issuer's country).
• Geofencing bypass: Payment gateways (Stripe, PayPal) block transactions from "risky" regions; proxies imitate "clean" traffic.
• Testing (carding checks): Carders test cards with small purchases through a proxy to avoid detection.
• Example with iCloud Private Relay: Apple's service masks IP through two relays (Apple + partner), ideal for carders on macOS/iOS, as it looks "legitimate" (not like a typical VPN).

Without proxy detection, such attacks are successful in 20-30% of cases (according to MaxMind reports). GeoIP2 solves this problem by flagging suspicious IPs.

How MaxMind GeoIP2 Detects Proxies: Technical Mechanisms​

MaxMind GeoIP2 is an evolution of GeoLite (the free version), with databases and an API for IP analysis. Updates occur weekly, covering over 99% of IPv4 and a significant portion of IPv6. Proxy detection uses a combination of the following data:

1. Anonymous IP Database:
   • Classifies IP by anonymizer types: proxy (open proxies), vpn (commercial VPN), tor (TOR exits), hosting (hosting servers).
   • Флаги: is_anonymous_proxy (true/false), is_hosting_provider, hosting_type (cloud, residential).
   • Sources: Public lists (ProxyLists, Shodan), ISP partnerships, and traffic analysis.
2. ISP и Organization Database:
   • Attributes IP to providers: for iCloud Private Relay, the tag is "Apple Inc." or "iCloud Private Relay".
   • ASN (Autonomous System Number) analysis: Proxies are often in large ASN ranges (e.g. AS714 for Apple).
3. Web Services (Insights API and Precision Services):
   • Request: curl " https://geoip.maxmind.com/geoip/v2.1/insights/8.8.8.8?user_id=XXXX ".
   • The answer includes traits:
     • traits.is_anonymous_proxy: true — basic proxy flag.
     • traits.is_public_proxy: true — if the IP is blacklisted.
     • traits.user_type: proxy — user type.
     • Для relay: traits.is_relay: true, privacy_service: true.
   • Geolocation: location.accuracy_radius >50 km for proxy (coarse to prevent precise tracking).
4. Integration with minFraud:
   • Anti-fraud API that combines IP data with behavioral signals (device, session).
   • Calculates risk_score (0–100): Proxy adds 10–30 points base.
   • ip_risk_score: Separate score for IP (high for anonymizers).

Detection is ~90% accurate for known proxies, but residential proxies are more difficult (false positives ~5%).

The specifics of iCloud Private Relay detection in the context of carding​

iCloud Private Relay (launched in 2021) isn't a classic proxy, but a "private relay" for Safari that uses Oblivious HTTP (OHTTP) for camouflage. Carders love it for:

• Integration with the Apple ecosystem (automatically on iOS 15+).
• Two hops: The first relay (Apple) sees the IP, but not the request; the second (the partner, e.g. Akamai) sees the request, but not the IP.
• Bypass: Looks like normal traffic from Apple.

MaxMind adopted GeoIP2 in September 2021:

• Tagging: In the ISP database — "iCloud Private Relay" or "Apple Relay." Flags: privacy_proxy: true, relay_type: icloud.
• Apple's geodata: Apple shares aggregated data (country/region), accuracy_radius ≥5 km. No postal codes.
• In minFraud: The ANONYMIZING_NETWORK flag increases the score by 15–25 points (typically +20 for relay, since Apple monitors abuse via tokens).
• Example API response for IPRelay IP:
  

  {
  "traits": {
  "isp": "iCloud Private Relay",
  "is_anonymous_proxy": true,
  "privacy_service": true,
  "is_relay": true
  },
  "location": {
  "city": {"name": "San Francisco"},
  "accuracy_radius": 100
  }
  }

In carding: If a carder uses IPRelay to test a card (e.g., buying it on Amazon), the gateway sees the flag and blocks/requires 3D Secure. Legitimate users (like Apple) rarely engage in fraud, so false positives are low.

Fraud score impact: +20 to score in carding scenarios​

minFraud aggregates signals into a common risk score. Proxy is a strong trigger, especially in carding, where it's combined with other red flags (IP/billing mismatch, rapid IP change).

Signal in minFraud	Description in the context of carding	Contribution to risk score	Example for IPRelay
IP Anonymizer	The is_anonymous_proxy or privacy_service flag	+10–20 points	+15 (relay is considered a "soft" proxy)
Hosting Provider	IP from data center/VPN	+5–15 points	+5 (if the relay partner is Akamai)
Geo Mismatch	IP ≠ billing_address (e.g., card from the US, IP from a relay in the EU)	+10–20 points	+20 (rough geo relay enhances)
High-Risk ASN	ASN Apple (714) with relay flag	+5–10 points	+5
Overall effect	Combination of >3 signals	+20–50 points total	Score >60 → block/captcha

Example of carding scenario:

• A carder from Russia steals a US card, uses IPRelay (IP in California).
• GeoIP2 flags: proxy + mismatch (billing: NY, IP: rough CA).
• minFraud: Base score 10 → +20 (proxy/relay) → +15 (mismatch) = 45 → additional check (SMS).
• Result: 70% blocks (according to MaxMind stats).

Carder evasion strategies and countermeasures​

Bypasses (educational, for understanding threats):

• Residential proxies (e.g., Luminati): IP from real devices, harder to flag (but more expensive).
• SOCKS5 over TOR: Multi-layered anonymization, but slow.
• Mobile proxies: 4G/5G IP, look residential.
• For relay: Disable in Safari settings + user-agent spoofing.

Business countermeasures:

• Integration: Use minFraud Factors for custom rules (e.g., allow relay with device fingerprinting).
• Additional layers: Device Intelligence (from MaxMind) + behavioral analytics (velocity checks).
• Testing: A/B tests for false positives (IPRelay is legitimate for 10–15% of Apple traffic).

Conclusion​

MaxMind GeoIP2 is a fundamental tool in the fight against carding, transforming IP analysis into a powerful anti-fraud filter. Detecting proxies like iCloud Private Relay (+20 to score) balances privacy (coarse geo) and security (risk flags), reducing chargebacks by 30–50%. For businesses: integrate with other systems; for users: understand how relays protect but can trigger checks. This highlights the evolution of fraud — from simple proxies to sophisticated relays — and the need for constant updates. For a deeper dive, see MaxMind's documentation (geoip2.maxmind.com).