Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Scammer using Cox Cable IP
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Scammer using Cox Cable IP

moonmartinmoonmartin Member
edited June 2017 in General

Anyone else see this before? I do various manual checks for scammers. One of the more reliable ones is IP checks. If it's a hosted IP, VPN, or Tor exit relay etc.

Someone signed up with a Cox Cable IP from Las Vegas and I ended up getting a fraud chargeback on it. This happened twice now. So the scammer is not on Cox Cable.

I won't be accepting any sign ups from Cox Cable anymore but I would like to understand how they are doing this? I think the most likely is some VPN provider using Cox Cable residential/business IP's somehow.

Comments

  • WilliamWilliam Member
    edited June 2017

    Provide the IPs? Are they ACTUAL cox or just spoofed whois entry like this network:

    inetnum:        196.62.128.0 - 196.62.159.255
    netname:        COX
    descr:          Cox Communications Inc
    

    moonmartin said: I think the most likely is some VPN provider using Cox Cable residential/business IP's?

    If not spoofed, no, the most likely case are infected PCs and insecure modems.

  • moonmartinmoonmartin Member
    edited June 2017

    @William said:
    Provide the IPs? Are they ACTUAL cox or just spoofed whois entry like this network:

    > inetnum:        196.62.128.0 - 196.62.159.255
    > netname:        COX
    > descr:          Cox Communications Inc
    > 

    moonmartin said: I think the most likely is some VPN provider using Cox Cable residential/business IP's?

    If not spoofed, no, the most likely case are infected PCs and insecure modems.

    98.160.252.94

    How do you know the 196.62.128.0 is spoofed? I get cox on some checks but other checks say it's WZ Communications.

  • moonmartin said: How do you know the 196.62.128.0 is spoofed?

    source:         AFRINIC # Filtered
    parent:         196.62.0.0 - 196.62.255.255
    
    inetnum:        196.62.0.0 - 196.62.255.255
    netname:        LDG-BLK0
    descr:          LDG-BLK0
    country:        ZA
    
    Thanked by 1Francisco
  • It's most definitely a residential proxy. If you block the COX Cable ISP , you could be losing potential customers from the said ISP.

  • AnthonySmithAnthonySmith Member, Patron Provider

    I see a few of those, usually maxmind picks them up.

    Thanks for marking them up on fraud record, might save someone a headache in the future.

    Thanked by 1netomx
  • moonmartinmoonmartin Member
    edited June 2017

    @madnoob said:
    It's most definitely a residential proxy. If you block the COX Cable ISP , you could be losing potential customers from the said ISP.

    Meaning a hacked PC or router/modem?

  • @moonmartin said:

    @madnoob said:
    It's most definitely a residential proxy. If you block the COX Cable ISP , you could be losing potential customers from the said ISP.

    Meaning a hacked PC or router/modem?

    Not necessarily (but quite possible - RAT / Botnet) , people tend to set up proxies for a certain price not knowing the risks involved.

  • @madnoob said:

    @moonmartin said:

    @madnoob said:
    It's most definitely a residential proxy. If you block the COX Cable ISP , you could be losing potential customers from the said ISP.

    Meaning a hacked PC or router/modem?

    Not necessarily (but quite possible - RAT / Botnet) , people tend to set up proxies for a certain price not knowing the risks involved.

    Seems odd because it's only Cox Cable that I have see this on. Perhaps related to the equipment they use.

  • AnthonySmithAnthonySmith Member, Patron Provider

    moonmartin said: Seems odd because it's only Cox Cable that I have see this on. Perhaps related to the equipment they use.

    Could be equipment related, I get a lot of open proxy hits on Cox orders (which I have maxmind automatically reject).

    Thanked by 1Clouvider
  • kh81kh81 Member

    Keep in mind that there are quite a lot of proxies hosted on residential Cox IPs, it doesn't always have to be an infected PC or a part of a botnet.

  • DamianDamian Member

    Also keep in mind it's the third largest cable ISP in the United States. Might as well block Comcast and Verizon and ATT DSL too then.

  • jarjar Patron Provider, Top Host, Veteran
    edited June 2017

    @William said:
    If not spoofed, no, the most likely case are infected PCs and insecure modems.

    People have suggested such possibilities in cases of fraud for years and I've always laughed it off. Up until about a year or so ago I had never witnessed a case of someone tunneling through someone's home network AND using what appeared to be legitimate billing information to correlate to the location. I'm sure it happened but never to enough degree to cross my screen.

    Times have changed. I no longer consider a residential IP to be evidence that a person may possibly be who/where they say they are. Nor do I have any idea how to combat this at a provider level, short of providers sharing information through things like FraudRecord.

  • RhysRhys Member, Host Rep
    edited June 2017

    @jarland said:

    @William said:
    If not spoofed, no, the most likely case are infected PCs and insecure modems.

    People have suggested such possibilities in cases of fraud for years and I've always laughed it off. Up until about a year or so ago I had never witnessed a case of someone tunneling through someone's home network AND using what appeared to be legitimate billing information to correlate to the location. I'm sure it happened but never to enough degree to cross my screen.

    Times have changed. I no longer consider a residential IP to be evidence that a person may possibly be who/where they say they are. Nor do I have any idea how to combat this at a provider level, short of providers sharing information through things like FraudRecord.

    It really is getting hard, bringing some IRC style checks (port scanning standard proxy ports and attempting to use it) to the table helps when it's just an open proxy but you can't catch them all :(.

  • jarland said: People have suggested such possibilities in cases of fraud for years and I've always laughed it off. Up until about a year or so ago I had never witnessed a case of someone tunneling through someone's home network AND using what appeared to be legitimate billing information to correlate to the location. I'm sure it happened but never to enough degree to cross my screen.

    Really? This is common since many years for carding. It's called vicsocks (-> victim socks) and was a core function of eg. ZeuS trojan kit (and many others). I've seen that in use since easily 2009.

    Hacked modems are a newer thing but also happened then already.

  • kh81kh81 Member
    edited June 2017

    @jarland said:

    @William said:
    If not spoofed, no, the most likely case are infected PCs and insecure modems.

    People have suggested such possibilities in cases of fraud for years and I've always laughed it off. Up until about a year or so ago I had never witnessed a case of someone tunneling through someone's home network AND using what appeared to be legitimate billing information to correlate to the location. I'm sure it happened but never to enough degree to cross my screen.

    Times have changed. I no longer consider a residential IP to be evidence that a person may possibly be who/where they say they are. Nor do I have any idea how to combat this at a provider level, short of providers sharing information through things like FraudRecord.

    What about checking the scanning the ports on an IP, and request extra verification if they have suspicious ports enabled? (e.g. proxy)

    Thanked by 1Rhys
  • @kh81 said:

    @jarland said:

    @William said:
    If not spoofed, no, the most likely case are infected PCs and insecure modems.

    People have suggested such possibilities in cases of fraud for years and I've always laughed it off. Up until about a year or so ago I had never witnessed a case of someone tunneling through someone's home network AND using what appeared to be legitimate billing information to correlate to the location. I'm sure it happened but never to enough degree to cross my screen.

    Times have changed. I no longer consider a residential IP to be evidence that a person may possibly be who/where they say they are. Nor do I have any idea how to combat this at a provider level, short of providers sharing information through things like FraudRecord.

    What about checking the scanning the ports on an IP, and request extra verification if they have suspicious ports enabled? (e.g. proxy)

    cox cable has an help document about proxy's, and about finding an proxy. http://www.cox.com/business/support/billing-and-account/article.cox?articleId=03cb0410-6b7f-11e0-4e73-000000000000

  • WilliamWilliam Member
    edited June 2017

    dragonballz2k said: cox cable has an help document about proxy's, and about finding an proxy

    and? There is zero way to contact a user of an IP. Absolutely not relevant here.

    We talk about scanning from our side on the external IP.

  • jarjar Patron Provider, Top Host, Veteran
    edited June 2017

    William said: Really? This is common since many years for carding. It's called vicsocks (-> victim socks) and was a core function of eg. ZeuS trojan kit (and many others). I've seen that in use since easily 2009.

    Yeah I'm theorizing that exploited IoT devices marked the first events where I witnessed this happening. Suppose it's possible that a few slipped by me and I just never knew though. Usually I look out for multiple signs that a customer is legitimate on chargeback though, which would be my most common alert.

  • mikecmikec Member

    If you have the Cox Cable IP address, try to key in into http://www.ip2location.com/demo to check the results. If it is VPN, open proxy, web proxy and Tor proxy, it will be shown up in the "Anonymous Proxy" field.

  • Softether (vpngate specifically) is a free VPN client that uses some resedential ips if you find someone hosting one on their house's conncection

Sign In or Register to comment.