What is IP Masking? How Bots and Fraudsters Hide Their Identity Online
Jeffrey Edwards
|Cyber Risks & Threats | December 15, 2022
If you have implemented multiple security checks to fend off invalid website traffic but are still plagued by fraudulent clicks — you’re not alone.
Many bad actors circumvent these measures by using IP masking techniques to disguise their identities, pose as harmless traffic from unsuspicious sources, and mimic the behaviors of legitimate visitors.
Here’s what you need to know about IP masking and how to identify and protect yourself from such fraudulent traffic.
What is an IP Address?
IP stands for internet protocol, which transmits data across the internet. Each device connected to the internet has a unique IP address to enable two-way communication between clients (e.g., a web browser) that ask for data and servers that respond to the requests.
The IP address tells the server who makes the request and where to send the information. These activities are often tracked for various purposes, such as informing online ad targeting to help marketers deliver the most relevant content to people with high purchase intent.
An IP address also works as a unique identifier, like a fingerprint. It can help authorities track down the source of malicious activities in a cyberforensic investigation. As such, fraudsters and malicious bots often use IP masking techniques to evade detection.
What is IP Masking?
IP masking hides or replaces an IP address with a different one. It enables users to preserve anonymity, making it harder to identify their locations or associate their identities with their web activities.
Why Do Users Mask Their IP Addresses?
There are many legitimate reasons for web users to mask their IP addresses — primarily to preserve privacy and anonymity:
- Keep physical addresses private
- Stop companies from collecting personal data
- Prevent Internet Service Providers (ISP) from tracking their online activities
- Keep online search history private
- Avoid malicious or intrusive ads
- Subvert censorship and geo-blocking to access restricted or copyright-blocked content in certain countries
Why Do Bots and Bad Actors Mask Their IP Addresses?
Fraudsters abuse IP masking to hide their identities when conducting illegal activities, such as ad fraud, form jacking, and web scraping, by mimicking the behaviors of legitimate site visitors to evade security checks.
Bad actors change the IP address of traffic from click farms and botnets to make it look like the clicks are coming from multiple sources instead of a single location. They also alter their IP addresses to regions with higher PPC costs to achieve a higher reward for fraud.
Additionally, criminals can use IP masking to circumvent IP blocking or filtering to carry out a distributed denial-of-service (DDoS) attack against websites to create massive service disruptions.
How Bots and Fraudsters Mask Their IP Addresses
Bad actors can apply various techniques to mask their IP addresses. Here are some common methods:
Residential Proxy Networks
These proxy networks contain real IP addresses from ISPs and are associated with less suspicious physical locations. Fraudsters route their traffic through proxy servers to disguise visits and clicks from their bots as legitimate traffic.
Virtual Private Networks (VPNs)
A VPN creates a virtual location with a new, unique IP address every time it’s activated. It can make internet traffic appear to originate from different geographic locations by routing it through a global network of servers.
Click farms or botnets often set up VPNs to send bulk clicks. CHEQ For PPC analyzed billions of impressions and found that 21% of invalid clicks involve location obfuscation.
Botnets
Fraudsters can control random, geographically dispersed devices by infecting them with malware without the owners’ knowledge. Then, they route traffic through these devices to mask their locations and identities.
Since the traffic comes from individual IP addresses that aren’t suspicious in and of themselves, it’s much harder to stop these fraudulent activities. Plus, even if you block one of the IP addresses, fraudsters have thousands more they can exploit.
TOR and Anonymous Browsers
Tor is a free network that conceals the identity and origin of a web user by using multiple relay nodes. Each node only knows the IP addresses before and after it. Even if the traffic is intercepted, parsing through the data to uncover the originating IP address will be very challenging.
How to Detect IP-Masked Traffic
For marketers, ad fraud is the biggest headache caused by IP masking. Fraudsters can reroute traffic from click farms and botnets to mimic legitimate clicks. They can also make the clicks appear to come from locales with higher PPC costs (e.g., North America or Europe) to deplete the victim’s ad budget.
Here’s how to detect IP-masked traffic:
Monitor Site Traffic
The first step to fighting IP-masked traffic is to track domains accessing your site. Your site or ad campaigns may be targeted if you see many clicks coming from suspicious locations. You can analyze your server log to uncover and block suspicious IP addresses.
Use Multiple Identifiers
However, relying solely on IP addresses to identify invalid traffic could cause you to block good traffic along with the bad while missing fraudsters who use botnets or rapidly-changing IP addresses to carry out their attacks.
To one-up these bad actors, you must analyze numerous data points and use multiple identifiers such as device ID, browser type, and behavioral patterns to uncover fraudulent traffic.
Inspect Packet Headers for Suspicious Data
Packet headers that contain data on a packet’s contents, origin, and destination allow you to dig deeper into the technical aspect to find corroborating information, such as the browser type/version and OS associated with a request.
For example, if you see numerous requests from the same IP address with different browsers or OSs, the IP address is likely a proxy. You can further analyze users from that IP address to look for telltale signs like outdated browsers to avoid blocking legitimate traffic.
Look for Misrepresentation
You can take the sleuthing further to see if users deliberately misrepresent themselves. Those with malicious intent often falsify their data, and the insights can help you distinguish them from privacy-conscious visitors using VPNs.
For instance, if a request claims to be from a mobile device, but the packet header shows browser extensions (which don’t exist for mobile devices,) it’d be safe to conclude that the user is falsifying some of the data — and more likely to be carrying out fraudulent activities.
Consider Comprehensive Go-to-Market Security
If the above seems like a heavy lift–that’s because it is. Manually mitigation is possible, to a certain extent, but it’s extremely time-consuming, even when leveraging external proxy blocklists and tracking scripts to identify bad traffic.
For businesses serious about security, a comprehensive go-to-market security platform will help automatically detect and block invalid traffic and provide additional insight into marketing analytics.
Our platform, CHEQ, leverages thousands of security challenges to evaluate site traffic in real-time, determine whether a visitor is legitimate, suspicious, or invalid, and take appropriate action to block or redirect that user. Book a demo to see how CHEQ can help you lower your CPA and protect your go-to-market efforts.