Botnet proxies hide the bad guy

Article by: Alisdair Faulkner, VP Products
Date: 29 May 2008
Last Update: 30th April 2008

Online criminals are becoming increasingly sophisticated, and the latest technique in their arsenal is the botnet proxy. Botnet proxies can be used to steal passwords, disguise identities and mask their locations in order to commit fraud. These botnet proxy techniques exceed the current fraud scrubbing methods used by merchants and payment processors today.

Botnet proxies (or stealth proxies) are a type of malware that uses a non-standard proxy port for the private use of the perpetrator, and effectively circumvent detection methods based on IP geolocation, known proxy lists, open proxy detection, and transaction velocity.

Machines infected with a botnet proxy agent select a new random proxy port when rebooted, and “phone home” to their botnet controller using a single encrypted UDP packet to announce their availability and port. There also types of botnet proxy available that do the same thing over HTTP, and “pull” their work commands from the command host, allowing them to work transparently through corporate firewall's. Accessing hundreds of these botnet proxies allows a fraudster to commit multiple fraudulent transactions, with different stolen identities, that appear to be coming from different locations, circumventing transaction velocity detection.

In observing the activity of one of these new botnet proxies, Threat METRIX has observed it make over 220,000 connections in 24 hours, to more than 500 different sites.

More accurate assessment of device risk and therefore effective fraud control, involves the true identity verification of the perpetrating node though device fingerprinting, unmasking the anomalies hidden by botnet proxies, and sharing the node information through a global device intelligence network..