Is this an ISP or a proxy server?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • iSpyCams
    Amateur Gynecologist
    • May 2009
    • 4436

    #1

    Is this an ISP or a proxy server?

    I noticed some transactions coming from a specific IP address range, generally I find that joins originating from static corporate IP addresses are frequently fraud, however this company seems kind of new, and there are quite a few transactions originating from seemingly unrelated affiliates and unrelated customers.

    The IP's are in the 173.209.x.x range, one such is 173.209.211.145

    I am showing this as Hosted Data Solutions, LLC and Syniverse Technologies, LLC.

    Upon closer inspection it appears this may be Windstream which has been growing lately.

    Does anyone know for sure if this is an ISP or a proxy server?
    - As soon as I think up a good sig it's going here.
  • TROLLENSTEIN
    Server Monkey
    • May 2013
    • 164

    #2
    It is a Proxy. This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet.

    Comment

    • iSpyCams
      Amateur Gynecologist
      • May 2009
      • 4436

      #3
      Originally posted by TROLLENSTEIN
      It is a Proxy. This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet.
      ok, how can you tell?
      - As soon as I think up a good sig it's going here.

      Comment

      • TROLLENSTEIN
        Server Monkey
        • May 2013
        • 164

        #4
        If I get asked to check a suspicious IP I check CBL first.

        Comment

        • iSpyCams
          Amateur Gynecologist
          • May 2009
          • 4436

          #5
          OK but if it's an IP that an ISP shares between a lot of customers then there's a high chance that one or two of those many customers are infected and it doesn't mean the join is fraud necessarily, right?
          - As soon as I think up a good sig it's going here.

          Comment

          • TROLLENSTEIN
            Server Monkey
            • May 2013
            • 164

            #6
            True, an IP alone doesn't really prove anything and doesn't mean it is a 100% fraudulent join. However, that particular IP is flagged as Corporate (Company, Fixed location, Static, Not Shared) and acting as an open proxy that can be logged into from anywhere on the planet. Not many sensible businesses run open proxies with worldwide access and appear on CBL. I would certainly keep an eye on that join/customer if it was my site.

            Comment

            • iSpyCams
              Amateur Gynecologist
              • May 2009
              • 4436

              #7
              Originally posted by TROLLENSTEIN
              True, an IP alone doesn't really prove anything and doesn't mean it is a 100% fraudulent join. However, that particular IP is flagged as Corporate (Company, Fixed location, Static, Not Shared) and acting as an open proxy that can be logged into from anywhere on the planet. Not many sensible businesses run open proxies with worldwide access and appear on CBL. I would certainly keep an eye on that join/customer if it was my site.
              It's not an open proxy, I am thinking maybe a cel phone tower or similar service. I am seeing these more and more in the US but most identify as belonging to AT&T, Cingular, recognizable companies like that.

              I am analyzing the customer behavior onsite as I think that will tell the tale as to whether I am better off without this IP range or not. One curious thing is that around the middle of the month I blocked a number of popular prepaid gift cards that were being abused on my PPS Programs, and about that time joins from this range almost completely stopped. But that could still be a coincidence. A cel phone provider could have changed the way they handled mobile internet traffic for example.
              - As soon as I think up a good sig it's going here.

              Comment

              • Due
                Confirmed User
                • Mar 2001
                • 3620

                #8
                Originally posted by pompousjohn
                It's not an open proxy, I am thinking maybe a cel phone tower or similar service. I am seeing these more and more in the US but most identify as belonging to AT&T, Cingular, recognizable companies like that.

                I am analyzing the customer behavior onsite as I think that will tell the tale as to whether I am better off without this IP range or not. One curious thing is that around the middle of the month I blocked a number of popular prepaid gift cards that were being abused on my PPS Programs, and about that time joins from this range almost completely stopped. But that could still be a coincidence. A cel phone provider could have changed the way they handled mobile internet traffic for example.
                Could it be Wi-Fi hot spots? It's common that telecoms use "push to Wi-Fi" if you are near a hotspot to reduce the load on the mobile networks.
                I buy plugs
                Skype: Due_Global
                /Due

                Comment

                • iSpyCams
                  Amateur Gynecologist
                  • May 2009
                  • 4436

                  #9
                  Originally posted by Due
                  Could it be Wi-Fi hot spots? It's common that telecoms use "push to Wi-Fi" if you are near a hotspot to reduce the load on the mobile networks.
                  I have already determined that these IP's are not "bad" there may be other issues, but so far there are no indications of fraud, other than these suspicious IP's which I am no longer suspicious of.

                  As I was informed on another board:

                  Windstream acquired Hosted Solutions and they are part of their business ISP. Windstream provides both business and residential internet. If you're seeing Hosted Solutions, those should more than likely be static IP's and it'll be a crap shoot figuring out if the other's are static or dynamic under the Windstream name. The consumer class is definitely a dynamic IP.

                  Their abuse email is [email protected] (for both business and residential services)

                  Syniverse Technologies provides internet via CDMA (Verizon, Sprint) so it could be a cell phone or mobile data card. These IP's tend to be dynamic... but their abuse email is [email protected]

                  So bottom line, both ISP's. Highly unlikely that Syniverse and Windstream are proxies but Hosted solutions COULD be.
                  - As soon as I think up a good sig it's going here.

                  Comment

                  • TROLLENSTEIN
                    Server Monkey
                    • May 2013
                    • 164

                    #10
                    Did your list contain:

                    173.209.211.144
                    173.209.211.145
                    173.209.211.146
                    173.209.211.148
                    173.209.211.193
                    173.209.211.214
                    173.209.211.215
                    173.209.211.221
                    173.209.211.225
                    173.209.211.235
                    173.209.211.242
                    173.209.212.148
                    173.209.212.215
                    173.209.212.218
                    173.209.212.235
                    173.209.212.238

                    We have all these flagged/banned as open proxies/botnet on Windows boxes, not mobile. Spikes in traffic* from this range on February 27th 2014, March 4th 2014, March 9th 2014, March 19th, March 18th, April 18th, April 28th 2014. If it is a business running a Cel/WiFi hotspot and their main box is compromised maybe anyone on their Windows laptop is being infected? But you mention mobile, so if the signup was made via mobile it could be something entirely different. Still, that entire IP range appears rooted and infected so it's banned/blocked.

                    *Could be more but only took a quick look at the stats.

                    Comment

                    • iSpyCams
                      Amateur Gynecologist
                      • May 2009
                      • 4436

                      #11
                      It includes these 86 IP's after stripping duplicates.

                      173.209.211.199
                      173.209.212.230
                      173.209.212.192
                      173.209.212.223
                      173.209.211.208
                      173.209.211.224
                      173.209.212.235
                      173.209.211.212
                      173.209.211.197
                      173.209.212.241
                      173.209.212.194
                      173.209.212.244
                      173.209.212.197
                      173.209.211.215
                      173.209.211.216
                      173.209.212.204
                      173.209.211.227
                      173.209.211.210
                      173.209.211.217
                      173.209.211.228
                      173.209.211.148
                      173.209.211.157
                      173.209.211.198
                      173.209.211.200
                      173.209.211.202
                      173.209.211.204
                      173.209.211.220
                      173.209.211.223
                      173.209.211.226
                      173.209.211.232
                      173.209.211.234
                      173.209.211.237
                      173.209.211.242
                      173.209.212.206
                      173.209.212.215
                      173.209.212.221
                      173.209.212.219
                      173.209.211.192
                      173.209.211.201
                      173.209.212.199
                      173.209.212.205
                      173.209.212.213
                      173.209.211.196
                      173.209.211.219
                      173.209.211.230
                      173.209.211.233
                      173.209.211.241
                      173.209.211.244
                      173.209.211.245
                      173.209.212.207
                      173.209.212.210
                      173.209.212.212
                      173.209.212.224
                      173.209.212.227
                      173.209.212.231
                      173.209.212.236
                      173.209.212.243
                      173.209.211.149
                      173.209.211.203
                      173.209.211.205
                      173.209.211.225
                      173.209.211.246
                      173.209.212.196
                      173.209.211.193
                      173.209.211.194
                      173.209.211.195
                      173.209.211.206
                      173.209.211.207
                      173.209.211.209
                      173.209.211.222
                      173.209.211.236
                      173.209.211.238
                      173.209.212.143
                      173.209.212.193
                      173.209.212.195
                      173.209.212.200
                      173.209.212.209
                      173.209.212.211
                      173.209.212.216
                      173.209.212.218
                      173.209.212.229
                      173.209.212.233
                      173.209.212.234
                      173.209.212.238
                      173.209.212.239
                      173.209.212.245
                      173.209.212.246

                      23 successful joins out of 152 attempts. Not sure how meaningful that is since many tried multiple times (I only allow 3 attempts though - velocity declines are not considered here, I remove those when analyzing data since they skew the ratios) I am only looking at the last 30 days, I have some older history but I am not in my office and its hard for me to crunch numbers on a small screen. I am not a database whiz so I do it in excel. Clumsy I know but it gets the job done so far.

                      Of note is that the joins from these IP's performed VERY poorly in terms of conversion rates, only 3 out of 23 converted to full membership, usually I get at least 35% conversion on trial joins, unless there is some monkey business going on.
                      - As soon as I think up a good sig it's going here.

                      Comment

                      • TROLLENSTEIN
                        Server Monkey
                        • May 2013
                        • 164

                        #12
                        Originally posted by pompousjohn
                        I am not a database whiz so I do it in excel. Clumsy I know but it gets the job done so far.
                        Not clumsy at all, whatever works best for you is the best. And it is good too see you keep on top of things like this, I love people that do that.

                        Comment

                        • CPA-Rush
                          small trip to underworld
                          • Mar 2012
                          • 4927

                          #13
                          i have used the lookup service at whatismyipaddress ,proxy not found

                          automatic exchange - paxum , bitcoin,pm, payza

                          . daizzzy signbucks caution will black-hat black-hat your traffic

                          ignored forever :zuzana designs

                          Comment

                          • FINESEC
                            Registered User
                            • Nov 2012
                            • 59

                            #14
                            You can check multiple RBLs here:
                            http://whatismyipaddress.com/blacklist-check
                            http://www.anti-abuse.org/multi-rbl-check/
                            http://SiteDefensor.com - secure authentication, password cracking and sharing prevention, site ripping protection
                            http://SiteCaptcha.com - free, secure and simple CAPTCHA solution

                            Comment

                            • iSpyCams
                              Amateur Gynecologist
                              • May 2009
                              • 4436

                              #15
                              Originally posted by rosx
                              i have used the lookup service at whatismyipaddress ,proxy not found
                              Whatismyipaddress.com seems to be better at detecting forum and email spam sources, I have heard black hat boards discussing ways to setup proxies so they are not detectable there, or haven't been flagged there yet, so proxies that are not flagged by whatismyipaddress.com seem to command a premium among scammers.
                              - As soon as I think up a good sig it's going here.

                              Comment

                              • iSpyCams
                                Amateur Gynecologist
                                • May 2009
                                • 4436

                                #16
                                Originally posted by TROLLENSTEIN
                                Did your list contain:

                                173.209.211.144
                                173.209.211.145
                                173.209.211.146
                                173.209.211.148
                                173.209.211.193
                                173.209.211.214
                                173.209.211.215
                                173.209.211.221
                                173.209.211.225
                                173.209.211.235
                                173.209.211.242
                                173.209.212.148
                                173.209.212.215
                                173.209.212.218
                                173.209.212.235
                                173.209.212.238

                                We have all these flagged/banned as open proxies/botnet on Windows boxes, not mobile. Spikes in traffic* from this range on February 27th 2014, March 4th 2014, March 9th 2014, March 19th, March 18th, April 18th, April 28th 2014. If it is a business running a Cel/WiFi hotspot and their main box is compromised maybe anyone on their Windows laptop is being infected? But you mention mobile, so if the signup was made via mobile it could be something entirely different. Still, that entire IP range appears rooted and infected so it's banned/blocked.

                                *Could be more but only took a quick look at the stats.
                                I am looking at data from the month of May primarily, and to the naked eye, after sorting by time/date stamp there aren't any visible spikes, variances seem to fall well within what could be natural coincidence and the entire month is covered more or less evenly, however as I mentioned since I banned some popular prepaid gift cards successful joined dropped sharply. (20 joins prior to May 17th, 3 after)

                                So at the moment if I had a theory about this being an intentional conspiracy I am thinking this could be a person or group who has a list of virtual cards and maybe a few stolen cards and runs it via botnet on PPS programs where the commission is higher than the signup cost. There seems to be a concentrated effort to lightly sprinkle these joins among other legitimate joins and across a variety of affiliate accounts so as to degrade but not destroy the profitability of the individual affiliate accounts. It's just a theory that will most likely be proven false or unlikely when I get back to my office Sunday and run more detailed reports.
                                Last edited by iSpyCams; 05-30-2014, 05:42 AM.
                                - As soon as I think up a good sig it's going here.

                                Comment

                                • Spudstr
                                  Confirmed User
                                  • Jan 2003
                                  • 2321

                                  #17
                                  https://isc.sans.edu/asreport.html?as=25934

                                  known issue.
                                  Managed Hosting - Colocation - Network Services
                                  Yellow Fiber Networks
                                  icq: 19876563

                                  Comment

                                  • bean-aid
                                    So Fucking Banned
                                    • Jun 2011
                                    • 16493

                                    #18
                                    Try that other board... they truly kniw their shit

                                    Comment

                                    Working...