Is this an ISP or a proxy server?

[iSpyCams]

I noticed some transactions coming from a specific IP address range, generally I find that joins originating from static corporate IP addresses are frequently fraud, however this company seems kind of new, and there are quite a few transactions originating from seemingly unrelated affiliates and unrelated customers.

The IP's are in the 173.209.x.x range, one such is 173.209.211.145

I am showing this as Hosted Data Solutions, LLC and Syniverse Technologies, LLC.

Upon closer inspection it appears this may be Windstream which has been growing lately.

Does anyone know for sure if this is an ISP or a proxy server?

[TROLLENSTEIN]

It is a Proxy. This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet.

[iSpyCams]

Quote:

Originally Posted by TROLLENSTEIN

It is a Proxy. This IP is infected (or NATting for a computer that is infected) with the Conficker A or Conficker B botnet.

ok, how can you tell?

[TROLLENSTEIN]

If I get asked to check a suspicious IP I check CBL first.

[iSpyCams]

OK but if it's an IP that an ISP shares between a lot of customers then there's a high chance that one or two of those many customers are infected and it doesn't mean the join is fraud necessarily, right?

[TROLLENSTEIN]

True, an IP alone doesn't really prove anything and doesn't mean it is a 100% fraudulent join. However, that particular IP is flagged as Corporate (Company, Fixed location, Static, Not Shared) and acting as an open proxy that can be logged into from anywhere on the planet. Not many sensible businesses run open proxies with worldwide access and appear on CBL. I would certainly keep an eye on that join/customer if it was my site.

[iSpyCams]

Quote:

Originally Posted by TROLLENSTEIN

True, an IP alone doesn't really prove anything and doesn't mean it is a 100% fraudulent join. However, that particular IP is flagged as Corporate (Company, Fixed location, Static, Not Shared) and acting as an open proxy that can be logged into from anywhere on the planet. Not many sensible businesses run open proxies with worldwide access and appear on CBL. I would certainly keep an eye on that join/customer if it was my site.

It's not an open proxy, I am thinking maybe a cel phone tower or similar service. I am seeing these more and more in the US but most identify as belonging to AT&T, Cingular, recognizable companies like that.

I am analyzing the customer behavior onsite as I think that will tell the tale as to whether I am better off without this IP range or not. One curious thing is that around the middle of the month I blocked a number of popular prepaid gift cards that were being abused on my PPS Programs, and about that time joins from this range almost completely stopped. But that could still be a coincidence. A cel phone provider could have changed the way they handled mobile internet traffic for example.

[Due]

Quote:

Originally Posted by pompousjohn

It's not an open proxy, I am thinking maybe a cel phone tower or similar service. I am seeing these more and more in the US but most identify as belonging to AT&T, Cingular, recognizable companies like that.

I am analyzing the customer behavior onsite as I think that will tell the tale as to whether I am better off without this IP range or not. One curious thing is that around the middle of the month I blocked a number of popular prepaid gift cards that were being abused on my PPS Programs, and about that time joins from this range almost completely stopped. But that could still be a coincidence. A cel phone provider could have changed the way they handled mobile internet traffic for example.

Could it be Wi-Fi hot spots? It's common that telecoms use "push to Wi-Fi" if you are near a hotspot to reduce the load on the mobile networks.

[iSpyCams]

Quote:

Originally Posted by Due

Could it be Wi-Fi hot spots? It's common that telecoms use "push to Wi-Fi" if you are near a hotspot to reduce the load on the mobile networks.

I have already determined that these IP's are not "bad" there may be other issues, but so far there are no indications of fraud, other than these suspicious IP's which I am no longer suspicious of.

As I was informed on another board:

Windstream acquired Hosted Solutions and they are part of their business ISP. Windstream provides both business and residential internet. If you're seeing Hosted Solutions, those should more than likely be static IP's and it'll be a crap shoot figuring out if the other's are static or dynamic under the Windstream name. The consumer class is definitely a dynamic IP.

Their abuse email is [email protected] (for both business and residential services)

Syniverse Technologies provides internet via CDMA (Verizon, Sprint) so it could be a cell phone or mobile data card. These IP's tend to be dynamic... but their abuse email is [email protected]

So bottom line, both ISP's. Highly unlikely that Syniverse and Windstream are proxies but Hosted solutions COULD be.

[TROLLENSTEIN]

Did your list contain:

173.209.211.144
173.209.211.145
173.209.211.146
173.209.211.148
173.209.211.193
173.209.211.214
173.209.211.215
173.209.211.221
173.209.211.225
173.209.211.235
173.209.211.242
173.209.212.148
173.209.212.215
173.209.212.218
173.209.212.235
173.209.212.238

We have all these flagged/banned as open proxies/botnet on Windows boxes, not mobile. Spikes in traffic* from this range on February 27th 2014, March 4th 2014, March 9th 2014, March 19th, March 18th, April 18th, April 28th 2014. If it is a business running a Cel/WiFi hotspot and their main box is compromised maybe anyone on their Windows laptop is being infected? But you mention mobile, so if the signup was made via mobile it could be something entirely different. Still, that entire IP range appears rooted and infected so it's banned/blocked.

*Could be more but only took a quick look at the stats.

[iSpyCams]

It includes these 86 IP's after stripping duplicates.

173.209.211.199
173.209.212.230
173.209.212.192
173.209.212.223
173.209.211.208
173.209.211.224
173.209.212.235
173.209.211.212
173.209.211.197
173.209.212.241
173.209.212.194
173.209.212.244
173.209.212.197
173.209.211.215
173.209.211.216
173.209.212.204
173.209.211.227
173.209.211.210
173.209.211.217
173.209.211.228
173.209.211.148
173.209.211.157
173.209.211.198
173.209.211.200
173.209.211.202
173.209.211.204
173.209.211.220
173.209.211.223
173.209.211.226
173.209.211.232
173.209.211.234
173.209.211.237
173.209.211.242
173.209.212.206
173.209.212.215
173.209.212.221
173.209.212.219
173.209.211.192
173.209.211.201
173.209.212.199
173.209.212.205
173.209.212.213
173.209.211.196
173.209.211.219
173.209.211.230
173.209.211.233
173.209.211.241
173.209.211.244
173.209.211.245
173.209.212.207
173.209.212.210
173.209.212.212
173.209.212.224
173.209.212.227
173.209.212.231
173.209.212.236
173.209.212.243
173.209.211.149
173.209.211.203
173.209.211.205
173.209.211.225
173.209.211.246
173.209.212.196
173.209.211.193
173.209.211.194
173.209.211.195
173.209.211.206
173.209.211.207
173.209.211.209
173.209.211.222
173.209.211.236
173.209.211.238
173.209.212.143
173.209.212.193
173.209.212.195
173.209.212.200
173.209.212.209
173.209.212.211
173.209.212.216
173.209.212.218
173.209.212.229
173.209.212.233
173.209.212.234
173.209.212.238
173.209.212.239
173.209.212.245
173.209.212.246

23 successful joins out of 152 attempts. Not sure how meaningful that is since many tried multiple times (I only allow 3 attempts though - velocity declines are not considered here, I remove those when analyzing data since they skew the ratios) I am only looking at the last 30 days, I have some older history but I am not in my office and its hard for me to crunch numbers on a small screen. I am not a database whiz so I do it in excel. Clumsy I know but it gets the job done so far.

Of note is that the joins from these IP's performed VERY poorly in terms of conversion rates, only 3 out of 23 converted to full membership, usually I get at least 35% conversion on trial joins, unless there is some monkey business going on.

[TROLLENSTEIN]

Quote:

Originally Posted by pompousjohn

I am not a database whiz so I do it in excel. Clumsy I know but it gets the job done so far.

Not clumsy at all, whatever works best for you is the best. And it is good too see you keep on top of things like this, I love people that do that.

[CPA-Rush]

i have used the lookup service at whatismyipaddress ,proxy not found

[FINESEC]

You can check multiple RBLs here:
http://whatismyipaddress.com/blacklist-check
http://www.anti-abuse.org/multi-rbl-check/

[iSpyCams]

Quote:

Originally Posted by rosx

i have used the lookup service at whatismyipaddress ,proxy not found

Whatismyipaddress.com seems to be better at detecting forum and email spam sources, I have heard black hat boards discussing ways to setup proxies so they are not detectable there, or haven't been flagged there yet, so proxies that are not flagged by whatismyipaddress.com seem to command a premium among scammers.

[iSpyCams]

Quote:

Originally Posted by TROLLENSTEIN

Did your list contain:

173.209.211.144
173.209.211.145
173.209.211.146
173.209.211.148
173.209.211.193
173.209.211.214
173.209.211.215
173.209.211.221
173.209.211.225
173.209.211.235
173.209.211.242
173.209.212.148
173.209.212.215
173.209.212.218
173.209.212.235
173.209.212.238

We have all these flagged/banned as open proxies/botnet on Windows boxes, not mobile. Spikes in traffic* from this range on February 27th 2014, March 4th 2014, March 9th 2014, March 19th, March 18th, April 18th, April 28th 2014. If it is a business running a Cel/WiFi hotspot and their main box is compromised maybe anyone on their Windows laptop is being infected? But you mention mobile, so if the signup was made via mobile it could be something entirely different. Still, that entire IP range appears rooted and infected so it's banned/blocked.

*Could be more but only took a quick look at the stats.

I am looking at data from the month of May primarily, and to the naked eye, after sorting by time/date stamp there aren't any visible spikes, variances seem to fall well within what could be natural coincidence and the entire month is covered more or less evenly, however as I mentioned since I banned some popular prepaid gift cards successful joined dropped sharply. (20 joins prior to May 17th, 3 after)

So at the moment if I had a theory about this being an intentional conspiracy I am thinking this could be a person or group who has a list of virtual cards and maybe a few stolen cards and runs it via botnet on PPS programs where the commission is higher than the signup cost. There seems to be a concentrated effort to lightly sprinkle these joins among other legitimate joins and across a variety of affiliate accounts so as to degrade but not destroy the profitability of the individual affiliate accounts. It's just a theory that will most likely be proven false or unlikely when I get back to my office Sunday and run more detailed reports.

[Spudstr]

https://isc.sans.edu/asreport.html?as=25934

known issue.

[bean-aid]

Try that other board... they truly kniw their shit