65 comments

[ 2.4 ms ] story [ 149 ms ] thread
It took me longer than it should to realize we were not talking about a service to place proxy calls to 911 (emergency dispatch) but a service called "911" that sells proxy accounts.
Not wearing my glasses I misread it as 911 Porsche Service :-)
Same here, I have used third party 911 services for enterprise VoIP in the past.
(comment deleted)
Great. Now can we shutdown HolaVPN and their primary reseller Luminati/BrightData? It’s all backdoored residential proxies just like 911.re
>Hola is a freemium web and mobile application...

When the service is free, you are the product.

Yeah, but you can pay to be the product, too.
The problem is their proxy backdoor thing is part of an SDK used by other applications/games/etc., both free and paid.
I mentioned this SDK, EarnApp, in my other comment. I am a shady web scraper that uses these services when necessary. The real answer is, STOP USING IP addresses for reputation scanning. With ipv4 exhaustion and CGN, this is an inevitable outcome anyways.
according to Hola tos you agree to make your device a proxy accessible to everyone else using the service
Bright Data operates a service where you agree to allow your network to be used in their proxy system. In return, they give you a small amount of money per gigabyte of traffic. https://earnapp.com/
This sounds too good to be true.
There is a community of people who use these passive income apps for some pocket money. It's not too good to be true, but they pay you so little compared to how much they make from you. For example, they pay $0.60/GB for united states traffic, and charge approx $15.00/GB for residential proxy use on the Bright Data network.
(comment deleted)
The ethics of these free VPNs and hidden proxy SDKs are very questionable. But they are crazy profitable for the proxy providers running them so unlikely to go away.

Did a teardown on their crazy economics recently https://scrapeops.io/web-scraping-playbook/residential-mobil...

The profit margins are insane, easily over 99% profit on millions in revenue.

In my new house, Xfinity offers huge discounts if you let them manage the network.

Are they reselling that bandwidth, mining my data, monitoring my traffic, or all of the above?

For the unprepared this is a website commonly used by credit card fraudsters to imitate an IP address close to the card's address
Google "residential proxies for sale" for the tip of a shit laden shady black market iceberg
Also called sneaker proxies. Why? Used to bypass restrictions or limits on buying sneakers/shoes online.
Does anyone know of a service that can be used to determine whether an IP has been associated/used by one of these proxy services? It would benefit my company to be able to detect these types of fraudsters
since these proxy services are created by hijacking legitimate users' computers and internet connections, I would imagine any such list would be quickly out of date. Based on their marketing information, at least hundreds of new computers were added to their network each day.
Hi! Here at Spur, this is our mission exactly. As another commenter correctly noted, proxy endpoint data - especially those of residential or "callback" proxies like 911 - is highly ephemeral. Our company provides near-real time tracking for many residential & datacenter proxy services, as well as VPNs.

Check us out at https://spur.us

Hi!

Very interesting service, but sadly I cannot sign up for a trial, due to not possessing a US telephone number, which for some reason is required. That said I am a researcher at an Internet measurement and security group. Any chances for a cooperation?

Hey there, thanks for your interest. Email us at support + our domain and we can get you set up.
You don't really explain it in your marketing copy, but how do you detect residential proxies?

You say it yourself:

> Residential proxies can be impossible to detect.

The appeal of residential proxies is that the traffic comes from legitimate user networks. So how do you detect malicious usage there?

Moreover, it must be a game of whack-a-mole to keep your lists updated, as these services pop up all the time.

My first thought is, "Why would it benefit your company, unless you were dealing with payments directly?," and then I read your comment history and it all makes sense now, haha.

Honestly, for assessing risk of individual users, my worry is that the only good option right now is to use tools that require lots of data on the user, like recaptcha v3. You could set up a honeypot that tries to catch as many IP addresses implicated in proxy activity as possible. Maybe that second one would be a good company idea.

The whole point of these services is to buy proxies that are not on a list.
Thanks for the info. I don't know the full story behind any particular residential IP proxy service, but I'd previously decided not to use any of them for a startup's purposes.

As I explained to my colleagues, I wouldn't be able to determine, with confidence, which of the services were 100% legit, and which weren't. We didn't want to accidentally get involved with questionably-obtained residential IPs, etc. That would've been antithetical to our business, and also just not how we operate in general.

(The startup provided solutions in the supply chain integrity space. Part of the technology included bespoke Web scraping, to monitor certain venues for naughtiness scale and patterns over time. Because venues were around the world, and because venues had complicating incentives regarding some of the questionable third-party activity in the venue... I wanted the delicate scraping to look similar to normal consumer users who were in the geopolitical region served by the venue. Instead of a residential IP service, I used an (undisclosed) different, impeccable approach, which won't work for all use cases, but did for ours.)

> Instead of a residential IP service, I used an (undisclosed) different, impeccable approach, which won't work for all use cases, but did for ours

3G/LTE because all mobile providers use CG-NAT?

(I also discovered that my old DSL ISP accepted its dialup provider's credentials for PPPoE). Best part about PPPoE is that you can run multiple sessions over the same line/modem.

Does anyone know how this software passed Microsoft smartscreen and typical antivirus apps? As someone distributing legitimate software on Windows, I feel like I was heavily scrutinized and getting code signing certs was a real pain, and costly. What's the purpose if it can't even weed out crap like this?
Smartscreen has always been a joke.
I hoped with Lets Encrypt we were past the days of paying for cryptographic signatures, but Microsoft is keeping the legacy alive
AFAIK Lets Encrypt does not provide free code-signing certificates, but I did hear of a group that was trying to do that. Can't recall the name right now.
This one maybe? https://www.sigstore.dev/

> What's the current status?

> We’re working hard to release v1.0 in July.

Hopefully they are close to release.

It's an absolute sham and Microsoft is using their market dominance to give us a worse product for more money.

I would love to see someone start a Windows app store that's based on domain validated code signing. Domains are better trust indicators than business names IMO.

They probably just tell the user to bypass the prompts. For example, my college roommate went to great lengths to install what he thought was a Pokémon blue emulator on his laptop. All the security checks in the world won’t protect a user determined to silence them.

I don’t know that’s what happened here, but it sounds like some of the installs were PPI, so I wouldn’t be surprised. That basically means anyone who can figure out how to bundle the software with an artifact can distribute it. A long time ago, and probably today too, people used to crack popular programs, bundle some adware into them, and then seed the torrent. The user is already committed to circumventing security checks and entering strange commands, so I can imagine how they might end up installing some bonus executables in the process.

All the security checks in the world won’t protect a user determined to silence them.

And that is IMHO a good thing. The alternative is a world where no one has any freedom.

Just to play devil's advocate, what about situations where someone's freedom to use software encroaches on others? For example, what if a user uses those freedoms to install malware that adds their machine to a botnet?
Same as freedom to put poison in your own food vs poison in someone else's food.

They're different things.

Everything you do in this world "enroaches on others" to some extent. One of the core tenets of freedom, at least in the West, is that we need to allow a certain amount of that and consider the fact that people will not always do what you want as a necessary condition for freedom to exist.
Yes exactly, the point I guess I was arguing with is how you define 'a certain amount' of freedom. Freedom is clearly not absolute in the real world so why should it be absolute in the digital one? Particularly when the overwhelming majority of 'normal' people do not care about the basics of digital hygiene and security.

There was a time I had a very Stallman view on software. Now I think my views are that having closed source devices, where security is managed by 'trusted' third parties, is absolutely fine for people who don't care. However, there should always be a choice for those who do want to exercise their freedom, and typically those who care about their digital freedoms will be technical enough to manage their devices responsibly. Clearly though in the mobile market in particular we're very far away from realising this.

Consider that it's illegal to drive a car without working headlights or taillights, but cars aren't required to disable themselves if they detect a lightbulb is burned out.
I'm not sure I understand your analogy. My thoughts were along the lines of users unintentionally installing malware which inflicts harm onto others, or say refusing to install software updates 'because it works' which in turn puts others at risk.

But to use that car analogy, in my country it is a legal requirement to have your car undergo a safety check every year for cars older than a certain age. That is very analogous to installing software updates in my opinion, and yet we don't enforce legal requirements to install updates on personal devices.

I guess my point is that if you want to break the law, things that you own shouldn't prevent you from doing so.
Does anyone have any recommendations for legit companies that provide proxies from ASNs not marked as datacenter/proxy? I need some for web scraping, but all the ones I've found so far seem super shady...
brightdata, scraperapi
No you don't.
Exactly my thinking as well. If you have to do some sort of shady shit to get what you need done, then maybe you're doing shady shit yourself.
Web scraping is legal and legitimate.
web scraping is fine, but when you start to go around blocks the site owners are putting up to prevent it, it starts to get blurrier
Oddly, no, not really.

Scraping is legal.

Attempting to block it is a grey area.

(comment deleted)
It sounds like you're looking for a not shady supplier for a service that is itself shady. That sounds tricky.
This disclosure sounds super shady itself.

Among their reasons they list that it's a "huge challenge" to manually vet traffic to detect malicious usage. They've been online for two years and only now determined that this would be a challenge?

And then blame a hacker of manipulating user balances and data loss. Please.

This sounds like incompetence on their side to keep their shady business under wraps, and now that it's been made public, they're shutting down to re-brand and launch a "new" service with the same backend. Any one of their "competitors" could actually just be them.