Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
Let's imagine a classic bank robbery scenario, like from a movie: criminals put masks on their heads to commit a crime. Why? To hide their identity from law enforcement and then spend the loot in peace.
Bank robberies are rare these days, of course (there were 1,500 robberies in 2024, compared to 7,465 in 2003), but criminals are still looking for ways to make a quick buck at someone else's expense, and so they try to hide their identities.
One way cybercriminals do this is by using various methods to disguise IP addresses when committing fraudulent schemes. What is this? How does it relate to ad fraud? Can it be combated?
Contents
1. What is it?
2. How scammers hide IP addresses: 5 ways
2.1. 1. Local proxy networks
2.2. 2. Commercial proxies and VPNs
2.3. 3. TOR and other anonymous browsers
2.4. 4. Dynamic IP address
2.5. 5. Botnets
3. How to Stop IP Masking Scams
This technology has quite legitimate uses. For example, users often use services to mask IP addresses to avoid malicious or intrusive advertising, bypass geoblocking in streaming content (SmartTV), and much more.
However, it is also often abused by fraudsters who want to hide their illegal activity - stealing money from advertisers. And masking the IP address allows them to get away with it. The motivation for using this technology is the same as that of bank robbers - to hide their identities and make it difficult to find.
Below are some ways that attackers can hide their IP:
In most cases, all IP addresses on the network belong to users of free proxy software. The server becomes an additional link and separates the person from the visited site. The resource will think that the proxy with the issued IP is the person, although this is not actually the case.
But not everything is so rosy, especially for the advertising industry. Fraudsters can turn the advertiser's life into a real nightmare, because dedicated IPs may belong not only to fraudsters, but also to real potential buyers. Therefore, direct blocking of IP addresses is not always a good solution.
Moreover, if one IP is blocked, the fraudster immediately connects to another proxy server on the network in just a couple of seconds - so his work will not even slow down.
Fraudsters can route traffic through a VPN provider's service, thereby hiding their IP.
Typically, using a VPN is a paid service with a monthly or annual subscription fee. In addition to VPN access, companies also offer many additional related services, such as data encryption to protect users' online activity.
Some services offer their services "for free", but the user will still have to pay. For example, the online publication Tech Crunch writes:
In other words, users do not pay for using a VPN service with money, but they pay with their personal data. What's worse, there are companies that do not care about their reputation, so they can easily sell their users' personal data to scammers: full names, phone numbers, residential addresses, or email addresses. Fraudsters can then use real user data for lead generation fraud.
British research company Comparitech notes the following:
This is because traffic in the Tor browser is routed through a lot of different nodes, many of which are not designed for high loads.
And while not all traffic that goes through Tor is fraudulent, there is still a certain stigma attached to the browser. It can be used for criminal activity - going into the "dark web" in search of illegal services, etc.
A dynamic IP address is a temporary IP assigned by an Internet service provider that changes every time a user's device connects to the network.
Many residential IPs are dynamic in nature. In fact, US marketing company TechTarget reports that “it’s a type of IP address that is provided by default by Internet service providers.”
Even if the advertiser blocked the dynamic IP to stop the fraudster, all the attacker would need to do to bypass the block is turn off and on their device. Then they would have a new IP address and continue their fraudulent activity.
However, in this case, the IP will still be known to the Internet provider. And it will be easier for them to track down the fraudster.
Because the ad traffic is routed through a botnet, all IP addresses belong to individual compromised devices of unsuspecting people, not to the actual scammer. Instead, the attackers are safely hidden behind a wall of zombie bots (infected devices) and have no way to directly interact with the site or the ad.
In some ways, a botnet is similar to a proxy network. It's just that the attacker controls the devices directly rather than routing traffic through them.
The ease with which fraudsters can purchase ready-made botnets (or create their own if they have the skills and knowledge) makes this an incredibly common method for ad fraud. If an advertiser tries to block one IP address, the criminal will have literally thousands of others to exploit.
Relying solely on an IP address after the fact is like the police looking for a robber who is still wearing a mask weeks after the robbery.
Instead, other markers and patterns need to be used, just as the police do after a robbery. Where the police collect descriptions of the robbers' physical characteristics (height, build, weight, etc.), mannerisms, and voices to try to identify the scammer, the advertiser needs access to a large amount of data about the visitors to their site.
Doing it manually, collecting and analyzing each parameter takes a long time and you can’t always be sure of the correctness of the assessment. This is where the solution to stop ad fraud from the Botfaqtor service can help.
The service collects hundreds of data points about each visitor to your site to accurately identify fraudulent traffic. With Botfaqtor, you can stop fraudsters even if they mask their IP address!
Bank robberies are rare these days, of course (there were 1,500 robberies in 2024, compared to 7,465 in 2003), but criminals are still looking for ways to make a quick buck at someone else's expense, and so they try to hide their identities.
One way cybercriminals do this is by using various methods to disguise IP addresses when committing fraudulent schemes. What is this? How does it relate to ad fraud? Can it be combated?
Contents
1. What is it?
2. How scammers hide IP addresses: 5 ways
2.1. 1. Local proxy networks
2.2. 2. Commercial proxies and VPNs
2.3. 3. TOR and other anonymous browsers
2.4. 4. Dynamic IP address
2.5. 5. Botnets
3. How to Stop IP Masking Scams
What is this?
IP masking is a technology that hides the unique identifier of a user's device in a computer network from third parties and replaces it with another IP. It is often used to maintain anonymity on the Internet and make it difficult to identify the user's real location or to associate it with certain actions on the network that he or she performs.This technology has quite legitimate uses. For example, users often use services to mask IP addresses to avoid malicious or intrusive advertising, bypass geoblocking in streaming content (SmartTV), and much more.
However, it is also often abused by fraudsters who want to hide their illegal activity - stealing money from advertisers. And masking the IP address allows them to get away with it. The motivation for using this technology is the same as that of bank robbers - to hide their identities and make it difficult to find.
How Scammers Hide IP Addresses: 5 Ways
There are different ways to mask IP addresses. This is both good and bad. Good because it allows users to protect their identity on the Internet. Bad because it allows scammers to hide themselves and anonymously attack unsuspecting advertisers.Below are some ways that attackers can hide their IP:
1. Local proxy networks
Fraudsters use home network proxy servers - any service that routes traffic through an intermediary server. Typically, this is a standard home network serviced by an Internet service provider.In most cases, all IP addresses on the network belong to users of free proxy software. The server becomes an additional link and separates the person from the visited site. The resource will think that the proxy with the issued IP is the person, although this is not actually the case.
But not everything is so rosy, especially for the advertising industry. Fraudsters can turn the advertiser's life into a real nightmare, because dedicated IPs may belong not only to fraudsters, but also to real potential buyers. Therefore, direct blocking of IP addresses is not always a good solution.
Moreover, if one IP is blocked, the fraudster immediately connects to another proxy server on the network in just a couple of seconds - so his work will not even slow down.
2. Commercial proxies and VPNs
There are companies that offer proxy servers from their own data centers to access the Internet. Centralized commercial proxies and virtual private network (VPN) services help mask IP addresses, allowing their customers to connect to their data center or server before visiting web resources.Fraudsters can route traffic through a VPN provider's service, thereby hiding their IP.
Typically, using a VPN is a paid service with a monthly or annual subscription fee. In addition to VPN access, companies also offer many additional related services, such as data encryption to protect users' online activity.
Some services offer their services "for free", but the user will still have to pay. For example, the online publication Tech Crunch writes:
In other words, users do not pay for using a VPN service with money, but they pay with their personal data. What's worse, there are companies that do not care about their reputation, so they can easily sell their users' personal data to scammers: full names, phone numbers, residential addresses, or email addresses. Fraudsters can then use real user data for lead generation fraud.
3. TOR and other anonymous browsers
If you are familiar with the concept of the "dark web" (the infamous part of the global web that is hidden from regular browsers), you are probably familiar with Tor and other browsers that allow you to remain anonymous online. The concept of Tor is almost no different from proxy networks. Here, the proxy is already built into the browser itself.British research company Comparitech notes the following:
This is because traffic in the Tor browser is routed through a lot of different nodes, many of which are not designed for high loads.
And while not all traffic that goes through Tor is fraudulent, there is still a certain stigma attached to the browser. It can be used for criminal activity - going into the "dark web" in search of illegal services, etc.
4. Dynamic IP address
If a website visitor wants to make it more difficult to track their online activity by IP, they can use their Internet service provider's dynamic IP address.A dynamic IP address is a temporary IP assigned by an Internet service provider that changes every time a user's device connects to the network.
Many residential IPs are dynamic in nature. In fact, US marketing company TechTarget reports that “it’s a type of IP address that is provided by default by Internet service providers.”
Even if the advertiser blocked the dynamic IP to stop the fraudster, all the attacker would need to do to bypass the block is turn off and on their device. Then they would have a new IP address and continue their fraudulent activity.
However, in this case, the IP will still be known to the Internet provider. And it will be easier for them to track down the fraudster.
5. Botnets
Many cybercriminals hide their personal IP addresses by carrying out fraudulent operations through botnets. These are large networks that link devices infected with malware and allow the bot operator to control them remotely.Because the ad traffic is routed through a botnet, all IP addresses belong to individual compromised devices of unsuspecting people, not to the actual scammer. Instead, the attackers are safely hidden behind a wall of zombie bots (infected devices) and have no way to directly interact with the site or the ad.
In some ways, a botnet is similar to a proxy network. It's just that the attacker controls the devices directly rather than routing traffic through them.
The ease with which fraudsters can purchase ready-made botnets (or create their own if they have the skills and knowledge) makes this an incredibly common method for ad fraud. If an advertiser tries to block one IP address, the criminal will have literally thousands of others to exploit.
How to Stop IP Masking Scams
So how can you stop ad fraud where the fraudster uses IP masking technology? Without relying solely on IP as the only method of identifying the attacker.Relying solely on an IP address after the fact is like the police looking for a robber who is still wearing a mask weeks after the robbery.
Instead, other markers and patterns need to be used, just as the police do after a robbery. Where the police collect descriptions of the robbers' physical characteristics (height, build, weight, etc.), mannerisms, and voices to try to identify the scammer, the advertiser needs access to a large amount of data about the visitors to their site.
Doing it manually, collecting and analyzing each parameter takes a long time and you can’t always be sure of the correctness of the assessment. This is where the solution to stop ad fraud from the Botfaqtor service can help.
The service collects hundreds of data points about each visitor to your site to accurately identify fraudulent traffic. With Botfaqtor, you can stop fraudsters even if they mask their IP address!
