Anonymous Proxy Hunting: When Bad Guys Don’t Leave You A Map To Their House (or, ‘An IP Address Is NOT an Internet Phone Number’)

Posted on 20 May 2012 by


“I’ll create a GUI Interface using Visual Basic so we can track the killer’s IP address.”

Let’s say some bad guys have stolen some credit card or bank account details and they’re using them to make a whole mess of online purchases. If they’ve got seven brain cells to rub together, they’re probably going to be using an anonymous proxy service to make the purchases. If they’ve got an IQ of 101 or greater, and if they’re not pathologically lazy, they’re going to anonymize traffic to the email accounts they use to manage the accounts they open on the Internet retailers, too.

Simply put, anonymous proxies make it appear that a person has accessed a site, say,, through, say, an IP address in Peru. This is done by the user accessing a site, server or service which, essentially, forwards the traffic as if it originated at the site, server or service and not at the computer the user is using. Do this a couple of times and it makes tracing these things hard. Use an anonymous proxy in another country and it makes getting a subpoena (in which we ask the Internet Service Provider or the proxy provider to hand over information about who really initiated the traffic) pretty much impossible.

There are some perfectly legitimate reasons why a legitimate user uses proxies. From viewing things you don’t want to be observed (some people, shamelessly, have been known to surf the Patek Philippe catalog at work!) to preventing sites (like Facebook) from observing too much about you, there are myriad legitimate uses for anonymizing your traffic.

But to some in law enforcement, anonymizing remains a mystery. So here are some links to some resources on tracking IP addresses, anonyous proxies, basic TTP of hacker types and some other stuff.

Anonymyzing An IP Address
Let’s get back to our nefarious credit card thugs. They could be using TOR, a perfectly legal tool which is as free as the air and as powerful as Thor. They could manage this with something like the TORBrowser bundle, or ProxySwitchy or the delightfully named Hide My Ass extensions for Chrome or Firefox. They could be using something like Vidalia. These things are also free, and putting these powerful tools a click of a mouse from even the most dense cyber criminal. If you’re more technically minded, you can rent a shell account from a provider anywhere in the world (meaning that it can’t be subpoenaed directly from that provider), or, if you’re more criminally minded, you can use exploited computers or whole botnets to route your traffic.

Why This is a Problem
Anonymous proxies, it turns out, present investigators with a major problem, because they present prosecutors with a major problem, because they present a major problem to judges.

It’s a problem for judges and prosecutors and ultimately cops because everyone in the criminal justice chain has heard the familiar tale that an IP address is like an Internet phone number, telling you exactly where the criminal is.

The old “IP-address-is-a-phone-number” saw began when an exasperated cyber cop was trying, through clenched teeth, to explain something to his super-annuated boss. It has become an indelible myth;  a criminal justice system legend as difficult to shake as the one about alligators in the Cleveland sewer system.

But many prosecutors expect to see the investigator hand up an IP showing that the computer is in a given location, because it’s one of the few places in US cyber law where there’s something like precedent: of course I need the IP address to show the computer at that house because how else can I possibly prove that that computer was used in this crime?

And, unsaid (or at the least, by investigators, inferred) is that, if you don’t have that, you are obviously not a good investigator, because how hard can it be to find a phone number?

Just watch this wonderful clip from CSI, in which writers, producers, directors, actors and an entire network tell us that, in order to find an IP address, all you need is someone who can “create a GUI interface using Visual Basic to track the killer’s IP address.” Sadly, too many in the criminal justice system believe this is true.

IP Address != Phone Number, and Killers Don’t Leave Calling Cards
I remind those of you with perhaps less than my whopping two years in law enforcement that murderers rarely leave white roses bearing their fingerprint (and a DNA sample from where the thorn drew a perfect droplet of blood), and they hardly ever leave a calling card with their home number.

That’s a Crime Stopper tip, guys, you might want to write it down.

Shockingly and similarly, IP addresses cannot be found by writing graphical user interface interfaces, even if you write it in Visual Basic.

At the same time, over the past, say, decade, cyber criminals have recognized that leaving your real IP address on a server was the single most incriminating thing you could do. In that same timeframe, the cost and complexity of obscuring your true IP address have both been reduced to, literally, “free” and “one click”.

It is therefore thoroughly unreasonable to expect that any serious cyber crime will come with a map to the house of the perpetrator, marked with an X where his bedroom computer is. No, investigators of cyber crimes must often (not always) find other ways of getting attribution (that’s cyber-spook talk for “Who Dun It?”)

This is not always the case. A well-placed subpoena can often net sufficient information, because while it’s easy to obscure your IP, it’s relatively harder to do it very well, and difficult to say the least even for sophisticated or professional cyber criminals to do it consistently enough to avoid leaving some breadcrumbs (see, for example, Rob Graham on how the FBI arrested Sabu, and the actual complaint, United States v HECTOR XAVIER MONSEGUR for more information).

This post goes into some tools and techniques as a starting point. Here are some ideas – and they are only those – about locating people on the Internets.

1. Check the name One of the coolest things out there in the world of public records search is TLO, the data fusion company established by Hank Asher after he stormed away in a huff from LexisNexis with his $700m. TLO is an excellent source of public records information, and is free to law enforcement. I’ll wait a moment while you read that again. Okay, in addition to being free to law enforcement, it is also an outstanding source of data on people, places and things (cars, phones, etc), and they have excellent customer service available by phone or instant message.

2. Facebook If you’ve got an email address, look on Facebook for it. You may well find a photo of and incriminating statements by your subject.

3. Subpoena, Subpoena, Subpoena. These, and search warrants, of email providers and Internet service providers are under-used when it comes to looking for evidence in cyber cases. Obviously we must protect people’s Fourth Amendment rights, and making the case to a judge that you have probable cause to look within a specific email account is one of your most sacred responsibilities. Once you’ve done that, you want to look for subpoena targets include Yahoo, Gmail, Facebook, and retailers who have been victims and who don’t cooperate with law enforcement without a subpoena. The fruits of those subpoenas will help you, especially if your bad guy has, for example, not anonymized his IP when checking his Yahoo! email account, or sent or received email which describes his personal details.

4.  Subpoena Another thing to subpoena is the ISP you suspect the person is using to see if that person is going to anonymizing sites. Remember above when I mentioned that people use shell accounts to forward their traffic? You can’t subpoena one of those in another country, but you can sometimes establish through the local ISP that a person went to the IP address of that shell account. Or proxy server. If you can tie the dates and times that the computer you suspect is accessing anonymizing tools to the dates and times that crimes were committed, you’re one step closer.

5. Surveillance If you suspect that a person is using a computer, see if you can swing by and see them on a computer. Hell, you’re just slapping your head at the moment, trying to place someone on some kind of machine, least you could do is get out there, right? Maybe it’s near a window and you can see it? The point is, if you can see a computer at the place you suspect, and see a person on it, this might be a good way to establish that the person used that specific computer at that specific time.

6. Trick Them. See if you can get them to click on a link or to visit a specific site. From @sp0rkbomb: “If they don’t normalize browser features, their browser is surprisingly unique.” Those retailers you are speaking with on the fraudulent orders can often give you the header information and more (but they’re used to only providing the IP address,because that’s all cops ever seem to ask for). You need to ask the retailer to get their geeks to hand up the HTTP stuff, which could include a wealth of stuff on the browser, the language settings, the operating system etc. Then you can think of some ways to get the person to visit a specific site or page and capture more.

Or of course, not.

This is not foolproof. It is a whole faecal-ton of work, and there’s no guarantee you’re even right. In fact, you are likely wrong. But we’ll never know until we try. The real issue, as I keep saying, is training. If every US law enforcement agency tried to crack just one cyber case in the next twelve months, we’d have 18,000 cases of experience across the country. We’d have cops familiar with what they need help with, and we’d have some metrics to ask the state and federal governments for training support and more clear cyber-crime investigative guidelines.

None of which we will get by not trying.