It took me longer than it should to realize we were not talking about a service to place proxy calls to 911 (emergency dispatch) but a service called "911" that sells proxy accounts.
I mentioned this SDK, EarnApp, in my other comment. I am a shady web scraper that uses these services when necessary. The real answer is, STOP USING IP addresses for reputation scanning. With ipv4 exhaustion and CGN, this is an inevitable outcome anyways.
Bright Data operates a service where you agree to allow your network to be used in their proxy system. In return, they give you a small amount of money per gigabyte of traffic. https://earnapp.com/
There is a community of people who use these passive income apps for some pocket money. It's not too good to be true, but they pay you so little compared to how much they make from you. For example, they pay $0.60/GB for united states traffic, and charge approx $15.00/GB for residential proxy use on the Bright Data network.
The ethics of these free VPNs and hidden proxy SDKs are very questionable. But they are crazy profitable for the proxy providers running them so unlikely to go away.
Does anyone know of a service that can be used to determine whether an IP has been associated/used by one of these proxy services? It would benefit my company to be able to detect these types of fraudsters
since these proxy services are created by hijacking legitimate users' computers and internet connections, I would imagine any such list would be quickly out of date. Based on their marketing information, at least hundreds of new computers were added to their network each day.
Hi! Here at Spur, this is our mission exactly. As another commenter correctly noted, proxy endpoint data - especially those of residential or "callback" proxies like 911 - is highly ephemeral. Our company provides near-real time tracking for many residential & datacenter proxy services, as well as VPNs.
Very interesting service, but sadly I cannot sign up for a trial, due to not possessing a US telephone number, which for some reason is required. That said I am a researcher at an Internet measurement and security group. Any chances for a cooperation?
My first thought is, "Why would it benefit your company, unless you were dealing with payments directly?," and then I read your comment history and it all makes sense now, haha.
Honestly, for assessing risk of individual users, my worry is that the only good option right now is to use tools that require lots of data on the user, like recaptcha v3. You could set up a honeypot that tries to catch as many IP addresses implicated in proxy activity as possible. Maybe that second one would be a good company idea.
Thanks for the info. I don't know the full story behind any particular residential IP proxy service, but I'd previously decided not to use any of them for a startup's purposes.
As I explained to my colleagues, I wouldn't be able to determine, with confidence, which of the services were 100% legit, and which weren't. We didn't want to accidentally get involved with questionably-obtained residential IPs, etc. That would've been antithetical to our business, and also just not how we operate in general.
(The startup provided solutions in the supply chain integrity space. Part of the technology included bespoke Web scraping, to monitor certain venues for naughtiness scale and patterns over time. Because venues were around the world, and because venues had complicating incentives regarding some of the questionable third-party activity in the venue... I wanted the delicate scraping to look similar to normal consumer users who were in the geopolitical region served by the venue. Instead of a residential IP service, I used an (undisclosed) different, impeccable approach, which won't work for all use cases, but did for ours.)
> Instead of a residential IP service, I used an (undisclosed) different, impeccable approach, which won't work for all use cases, but did for ours
3G/LTE because all mobile providers use CG-NAT?
(I also discovered that my old DSL ISP accepted its dialup provider's credentials for PPPoE). Best part about PPPoE is that you can run multiple sessions over the same line/modem.
Does anyone know how this software passed Microsoft smartscreen and typical antivirus apps? As someone distributing legitimate software on Windows, I feel like I was heavily scrutinized and getting code signing certs was a real pain, and costly. What's the purpose if it can't even weed out crap like this?
AFAIK Lets Encrypt does not provide free code-signing certificates, but I did hear of a group that was trying to do that. Can't recall the name right now.
It's an absolute sham and Microsoft is using their market dominance to give us a worse product for more money.
I would love to see someone start a Windows app store that's based on domain validated code signing. Domains are better trust indicators than business names IMO.
They probably just tell the user to bypass the prompts. For example, my college roommate went to great lengths to install what he thought was a Pokémon blue emulator on his laptop. All the security checks in the world won’t protect a user determined to silence them.
I don’t know that’s what happened here, but it sounds like some of the installs were PPI, so I wouldn’t be surprised. That basically means anyone who can figure out how to bundle the software with an artifact can distribute it. A long time ago, and probably today too, people used to crack popular programs, bundle some adware into them, and then seed the torrent. The user is already committed to circumventing security checks and entering strange commands, so I can imagine how they might end up installing some bonus executables in the process.
Just to play devil's advocate, what about situations where someone's freedom to use software encroaches on others? For example, what if a user uses those freedoms to install malware that adds their machine to a botnet?
Everything you do in this world "enroaches on others" to some extent. One of the core tenets of freedom, at least in the West, is that we need to allow a certain amount of that and consider the fact that people will not always do what you want as a necessary condition for freedom to exist.
Yes exactly, the point I guess I was arguing with is how you define 'a certain amount' of freedom. Freedom is clearly not absolute in the real world so why should it be absolute in the digital one? Particularly when the overwhelming majority of 'normal' people do not care about the basics of digital hygiene and security.
There was a time I had a very Stallman view on software. Now I think my views are that having closed source devices, where security is managed by 'trusted' third parties, is absolutely fine for people who don't care. However, there should always be a choice for those who do want to exercise their freedom, and typically those who care about their digital freedoms will be technical enough to manage their devices responsibly. Clearly though in the mobile market in particular we're very far away from realising this.
Consider that it's illegal to drive a car without working headlights or taillights, but cars aren't required to disable themselves if they detect a lightbulb is burned out.
I'm not sure I understand your analogy. My thoughts were along the lines of users unintentionally installing malware which inflicts harm onto others, or say refusing to install software updates 'because it works' which in turn puts others at risk.
But to use that car analogy, in my country it is a legal requirement to have your car undergo a safety check every year for cars older than a certain age. That is very analogous to installing software updates in my opinion, and yet we don't enforce legal requirements to install updates on personal devices.
Does anyone have any recommendations for legit companies that provide proxies from ASNs not marked as datacenter/proxy? I need some for web scraping, but all the ones I've found so far seem super shady...
Among their reasons they list that it's a "huge challenge" to manually vet traffic to detect malicious usage. They've been online for two years and only now determined that this would be a challenge?
And then blame a hacker of manipulating user balances and data loss. Please.
This sounds like incompetence on their side to keep their shady business under wraps, and now that it's been made public, they're shutting down to re-brand and launch a "new" service with the same backend. Any one of their "competitors" could actually just be them.
65 comments
[ 2.4 ms ] story [ 149 ms ] threadWhen the service is free, you are the product.
Did a teardown on their crazy economics recently https://scrapeops.io/web-scraping-playbook/residential-mobil...
The profit margins are insane, easily over 99% profit on millions in revenue.
Are they reselling that bandwidth, mining my data, monitoring my traffic, or all of the above?
Check us out at https://spur.us
Very interesting service, but sadly I cannot sign up for a trial, due to not possessing a US telephone number, which for some reason is required. That said I am a researcher at an Internet measurement and security group. Any chances for a cooperation?
You say it yourself:
> Residential proxies can be impossible to detect.
The appeal of residential proxies is that the traffic comes from legitimate user networks. So how do you detect malicious usage there?
Moreover, it must be a game of whack-a-mole to keep your lists updated, as these services pop up all the time.
Honestly, for assessing risk of individual users, my worry is that the only good option right now is to use tools that require lots of data on the user, like recaptcha v3. You could set up a honeypot that tries to catch as many IP addresses implicated in proxy activity as possible. Maybe that second one would be a good company idea.
1. SEON: https://seon.io/
2.IPQS: https://www.ipqualityscore.com/
As I explained to my colleagues, I wouldn't be able to determine, with confidence, which of the services were 100% legit, and which weren't. We didn't want to accidentally get involved with questionably-obtained residential IPs, etc. That would've been antithetical to our business, and also just not how we operate in general.
(The startup provided solutions in the supply chain integrity space. Part of the technology included bespoke Web scraping, to monitor certain venues for naughtiness scale and patterns over time. Because venues were around the world, and because venues had complicating incentives regarding some of the questionable third-party activity in the venue... I wanted the delicate scraping to look similar to normal consumer users who were in the geopolitical region served by the venue. Instead of a residential IP service, I used an (undisclosed) different, impeccable approach, which won't work for all use cases, but did for ours.)
3G/LTE because all mobile providers use CG-NAT?
(I also discovered that my old DSL ISP accepted its dialup provider's credentials for PPPoE). Best part about PPPoE is that you can run multiple sessions over the same line/modem.
> What's the current status?
> We’re working hard to release v1.0 in July.
Hopefully they are close to release.
I would love to see someone start a Windows app store that's based on domain validated code signing. Domains are better trust indicators than business names IMO.
I don’t know that’s what happened here, but it sounds like some of the installs were PPI, so I wouldn’t be surprised. That basically means anyone who can figure out how to bundle the software with an artifact can distribute it. A long time ago, and probably today too, people used to crack popular programs, bundle some adware into them, and then seed the torrent. The user is already committed to circumventing security checks and entering strange commands, so I can imagine how they might end up installing some bonus executables in the process.
And that is IMHO a good thing. The alternative is a world where no one has any freedom.
They're different things.
There was a time I had a very Stallman view on software. Now I think my views are that having closed source devices, where security is managed by 'trusted' third parties, is absolutely fine for people who don't care. However, there should always be a choice for those who do want to exercise their freedom, and typically those who care about their digital freedoms will be technical enough to manage their devices responsibly. Clearly though in the mobile market in particular we're very far away from realising this.
But to use that car analogy, in my country it is a legal requirement to have your car undergo a safety check every year for cars older than a certain age. That is very analogous to installing software updates in my opinion, and yet we don't enforce legal requirements to install updates on personal devices.
Scraping is legal.
Attempting to block it is a grey area.
Among their reasons they list that it's a "huge challenge" to manually vet traffic to detect malicious usage. They've been online for two years and only now determined that this would be a challenge?
And then blame a hacker of manipulating user balances and data loss. Please.
This sounds like incompetence on their side to keep their shady business under wraps, and now that it's been made public, they're shutting down to re-brand and launch a "new" service with the same backend. Any one of their "competitors" could actually just be them.