The Many Ways IP Address Manipulation Enables Fraud

Understanding the basic building blocks of Internet Protocol (IP) can help shed light on patterns of behavior observed among identity fraudsters. Fraud analysts, investigators, and analytics teams can make important determinations about users on the platforms they govern using tools and technology that analyze IP addresses, whether it be at onboarding or after the account is opened. To put the bottom line up front: fraudsters, like everyone else, use devices that connect to the Internet. Those devices rely on IP addresses, and those addresses can tell us a lot about a device.

A Model for the Internet

In terms of modern technology, it might surprise people to learn that IP technology is fairly old. A Protocol for Packet Network Intercommunication, a 1974 paper penned by two venerable “godfathers” of the internet, Vinton Cerf and Robert Kahn, describes a “packet communication network” as a “transportation mechanism for delivering data between computers or between computers and terminals.” In roughly 12 pages, Cerf and Kahn describe “a simple but very powerful and flexible protocol which provides for variation in individual network packet sizes, transmission failures, sequencing, flow control, and the creation and destruction of process-to-process associations.”

Their model gave way to the internet we know and love today. Funded by the Department of Defense’s Defense Advanced Research Projects Agency (DARPA), IP became part of a suite of protocols which govern the modern internet to this day. The first three versions of IP were experimental, and were built from 1973 to 1978. IPv4 became the modern IP address standard we see attached to devices and networks. Despite having competing and proprietary protocols, early tech industry behemoths — including IBM and AT&T — were the first to adopt this protocol. IPv6 has been in development since the mid 2000s and now occasionally surfaces on newer devices. For fraud investigators, IP addresses present a potential goldmine of relevant information.

If you’re wondering what happened to IPv5, you’re not alone. While a protocol with the designation “5” does exist, it was renamed as the Internet Stream Protocol, and had to do specifically with video and audio streaming. An experimental protocol, Internet Stream was never actually implemented. This is why the official versions of Internet Protocol skip from 4 to 6.

Drilling down into the more relevant specifics, an IP address is a numerical label, used for identifying and addressing any computer network that uses IP for communication. Initially, in IPv4, these numerical labels were relatively simple, consisting of a 32-bit number (four 8-bit numbers in a row, separated by periods — ex. “192.168.0.” — the most common IP address). However, all unique IP addresses on IPv4 were estimated to have been completely depleted in 2011. Some IP addresses are designated for private networks, and are not globally unique, but rather shared, and often limited to use by military, government, or infrastructure networks with corresponding high security requirements. For example, the IP “192.168.0.1” is so ubiquitous because it is the default IP for setup and configuration on most home wi-fi routers and internet modems.

How Fraudsters Try to Outrun IP Data

Smart fraudsters know that their IP address is visible, creating a clear motivation for them to obfuscate their IP address by way of manipulating the address. With custom solutions, IP manipulation is endlessly complex and configurable. However, the majority of fraudsters use paid or open-source services and tools, such as VPNs, TOR, and SIM-swapping to manipulate their IP information. The different methods that fraudsters use to manipulate their IP addresses vary in levels of risk, difficulty, and effectiveness, but their end goal is the same — another layer of deception, another facet of a false persona.

The Most Common Tool for Manipulation

Perhaps the most common tool for manipulation is the Virtual Private Network or VPN. Many consumers use VPNs for personal security and privacy on the internet, as it provides an additional layer between client requests and server responses. However, like most technologies, VPNs offer different solutions based on intent, not on usage. Some are more reputable and reliable than others, and the available services vary widely in terms of configurability and customization. For example, some VPNs offer the ability to switch the country from which the user’s end-traffic is visible. While often used to dodge availability concerns on streaming sites and other mundane consumer purposes, a fraudster could use this functionality to their advantage by manipulating their IP into showing they are in a different location, thus deceiving screening tools and investigators.

VPN users also have access to features disguising the fact they are using a VPN in the first place. This is obviously an alluring feature for fraudsters, although analytics tools are improving the ability to identify VPNs. Some VPNs may also have features that completely obscure any useful information about the IP address.This is done by making the address appear as a data center or content-delivery network. As one of the more well-worn methods, VPNs are well understood and easily detected, allowing analysts and investigators with the right tools to make smart decisions about the users and accounts they service and protect. Fraud fighters should use care to examine which VPN provider their tools indicate, and evaluate the risk accordingly.

When IP Address Manipulation Raises Red Flags

There is an even darker side to IP manipulation, however. One of the riskier methods used to manipulate IP is known as the Dark Web. It’s called that for a reason: without specialized browsers and other software, the Dark Web is invisible to the average internet user. It is known more specifically as The Onion Router or TOR, a free and open-source software that enables browsing the web anonymously. Using a volunteer-based network of user-hosted “nodes” (think of a node as something akin to a virtual door), a TOR user passes their IP address through many layers of networks and hosts, hence “the onion.” The user then browses and interacts with the web, not with their own IP, but with a TOR “exit node” — the last portal in the chain. TOR gives a user access to sites that are inaccessible from a conventional IP address or even a VPN.

It’s also “dark” in another sense: nefarious activities commonly observed on the Dark Web range from illicit drugs to human trafficking, and more. TOR exit nodes are easily detected by most tools that are used to analyze IP addresses, and many institutions and organizations bar the gates of entry entirely to anyone detected on a TOR exit node.

TOR is most-often used for illicit purposes apart from financial fraud or identity theft, but can occasionally rear its ugly head during identity investigations. An otherwise normal and productive relationship with a customer who is suddenly observed using a TOR exit node can often result in a warning, or a check-up on that user to resolve concerns of account takeover. At onboarding, and for otherwise suspicious or risky account activity, TOR use may be cause for adverse action.

Many of Socure’s customers seem to be aware of the risk associated with allowing users to access their platforms from TOR, because only a tiny fraction of a percent (0.000004%) of all traffic coming through Socure’s product suite is observed using TOR. Having worked at a Socure customer organization in the past, my experience as a fraud analyst tells me that TOR use was grounds for auto-denial on any new application, as a matter of organizational policy. Users who were already onboarded and booked would receive a single warning for TOR use as a courtesy; but any additional TOR usage would result in adverse action, typically termination of services for that individual consumer. This is usually something that digital firms in particular will include as a part of their user agreement.

Using IP Addresses to Identify Device Characteristics

As previously mentioned, some IP addresses are designated for private purposes. These are often related to government or internet traffic that requires heavy security. Applicants transacting from a military base or from within a government building may show signs of a private secured network that has no designated location. These are of minimal concern to an investigator, but still warrant a second look at the overall identity presented to check for other contextual clues and risk factors.

Even conventional, un-manipulated IP addresses can tell us a lot about device characteristics and behaviors. For example, SIM-swapping, a hallmark of romance scams, can change the IP address characteristics of a mobile device, and make scammers easy to spot. Some regions, and even some specific internet service providers, are known to be laden with a high volume of spam and scam traffic. One notable example is Nigeria, where SIM-swapping and romance scams are rampant. An IP address from Nigeria on an otherwise normal account or profile is an indicator of fraud, most likely an account takeover — the most common end goals of a romance scam.

Socure and IP Address

I was able to get some IP address insights from Jonas Cuadrado, Lead Data Scientist at Socure. Jonas analyzes potentially anomalous behavior to help identify and alert customers about potential fraud attacks. Certain identity and device characteristics, individually and on a macro-scale, impact the designated levels of risk. While Jonas confirmed that phone and email remain generally the strongest predictors for most outcomes, on a macro scale, IP addresses can provide valuable risk-screening indicators for large swaths of data. This enables Socure to help our customers avoid massive fraud-related financial losses by enabling them to react quickly.

Jonas told me about another intriguing area of IP manipulation: subnet and subnet masks. According to IXPO, subnetting serves a number of purposes, from giving administrators more control over their networks and improving their networks’ performance, to boosting security and using IP addresses more efficiently.

Like many other methods and styles of IP address manipulation, subnetting is not solely used to commit fraud, but is also a legitimate way of managing how one’s devices interact with the internet. Spiceworks gives an excellent set of examples, analogies, and explanations here to provide further clarification and technical specifics on subnet masking, but you can essentially think of it as separating an IP address into its key components. To paraphrase an example from the article, imagine sending a letter to your friend who works in an office building, but you don’t know which floor, which cubicle, etc. — you just know the address of the building, and your friend’s name. The letter will still get to them. You can think of subnet masking as a way of internally managing and operating different devices on a given network.

With subnetting, it is also possible to create private networks and relays that exist alongside the Internet and use the same networks, but are not generally accessible to the public unless credentials and private addresses are leaked. This is what makes it essential to have some basic knowledge of network and information security before attempting to set up complex private networks and relays.

Like many features of IP manipulation, subnet masking is a tool, and tools in benign hands with good intentions can do great things. On the other hand, imagine this configurability and network control in the hands of a person who is connected with the underworld of synthetic identity fraud, and potentially even criminal activity; a person who has access to TOR, knows how to set up their own server gear, and has access to knowledge on committing fraud for a living. With illicit bulk files and data, and the knowledge on how to manipulate the specifics of each device on their sophisticated and complex networks to stay hidden, skilled fraudsters can transact and otherwise interact with the Internet to an extreme degree of volume and velocity.

People in this position can do a tremendous amount of financial damage, quickly and efficiently; not only to Socure’s customer organizations, but also to large numbers of individual consumers, whose credit may be negatively impacted from a false association, or even a blatant identity theft. If we as fraud investigators can better understand and recognize risk indicators related to IP manipulation, we can position consumers to better trust the solutions and services on offer with less friction, and stay a step ahead of the fraudsters.

IP Addresses in Fraud Investigations

For a fraud investigator or analyst, even the most basic familiarity with IP addresses and the various methods of IP manipulation can make or break an investigation. In addition to our IP address analysis tools provided by proprietary third-party intelligence vendors, there are open source tools available for analyzing IP addresses. Some notable examples include whatismyipaddress.com and ip-lookup.net. Many of these lookup tools and websites also contain blogs and other resources related to internet security and privacy, general current events in tech, and noteworthy security incidents such as data breaches and vulnerabilities.

Analysts and investigators should always consider the pros, cons, and tradeoffs for underlying sources of information and investigative tools. With the right resources, investigators and analysts can make informed decisions about their users and customers, from onboarding all the way through booked accounts.

How Socure Can Help

Socure uses fraud performance data from our customers tied to incoming application signals, including IP address and its relation to the potential riskiness of an identity, in our machine learning Sigma models. Socure tests IP address-related signals, along with over 15,000 additional identity and behavioral signals when we redevelop our Sigma Identity Fraud, Sigma Synthetic and Sigma Email, Phone and Address RiskScores. To stay in sync with bad actors and their changing fraud patterns, Socure updates and makes the newest versions of our Sigma models available to our customers several times a year.

We also continuously monitor our customers’ transaction flows on a real-time basis to identify and suggest short-term strategies to overcome any potential fraud attacks.

IP addresses are a valuable signal in the fight to eradicate fraud. Ready to get started? Schedule time with our team here to learn how Socure can help you fight fraud.

Author: Patrick Pickett, Fraud Investigator at Socure

References:

1. A Protocol for Packet Network Intercommunication — Cerf, Vinton G. and Kahn, Robert E. — https://www.cs.princeton.edu/courses/archive/fall06/cos561/papers/cerf74.pdf
2. What Is a VPN? — Virtual Private Network — Cisco blog post — https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html
3. Tor: An Anonymous, And Controversial, Way to Web-Surf — Fowler, Geoffrey A. — Wall Street Journal article — https://www.wsj.com/articles/SB10001424127887324677204578185382377144280
4. List of assigned /8 IPv4 address blocks — Wikipedia article — https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks
5. SIM Card Swapping Takes Cellphone Hacking To A New Level — Wang, Deborah — NPR article — https://www.wbur.org/hereandnow/2019/08/26/sim-swapping-cell-phone-hacking
6. https://whatismyipaddress.com
7. https://ip-lookup.net
8. Free Pool of IPv4 Address Space Depleted — Smith, Lucie and Lipner, Ian — NRO Article — https://www.nro.net/ipv4-free-pool-depleted
9. 7 Top Open Source IP Address Management Software — Codeable Magazine blog post — https://codeablemagazine.com/open-source-ip-address-management-software.html
10. IP Addresses — WhatIsMyIPAddress blog section — https://whatismyipaddress.com/learning/ip-addresses
11. What an IP Address Can Reveal About You — The Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2013/ip_201305/
12. Find Your Public IP Address — WebNots tool/resource — https://www.webnots.com/seo-tools/find-my-ip-address
13. What Is 192.168.0.1, and Why Is It The Default IP Address for Most Routers? — Butler, Sydney — HelpDeskGeek blog, 11/19/2021 https://helpdeskgeek.com/networking/what-is-192-168-0-1-and-why-is-it-the-default-ip-address-for-most-routers/
14. First Came IPv4… https://www.ipxo.com/blog/what-happened-to-ipv5/#:~:text=Here's%20the%20kicker%20%E2%80%93%20IPv5%20never,Internet%20Stream%20Protocol%20(ST).
15. What Is a Subnet Mask? Definition, Working, and Benefits — https://www.spiceworks.com/tech/networking/articles/what-is-subnet-mask/#:~:text=Subnet%20masks%20determine%20the%20network,an%20IP%20network%20upon%20subnetting.&text=A%20subnet%20mask%20is%20defined,device%20operating%20on%20that%20network.