New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Scammer using Cox Cable IP
moonmartin
Member
Anyone else see this before? I do various manual checks for scammers. One of the more reliable ones is IP checks. If it's a hosted IP, VPN, or Tor exit relay etc.
Someone signed up with a Cox Cable IP from Las Vegas and I ended up getting a fraud chargeback on it. This happened twice now. So the scammer is not on Cox Cable.
I won't be accepting any sign ups from Cox Cable anymore but I would like to understand how they are doing this? I think the most likely is some VPN provider using Cox Cable residential/business IP's somehow.
Comments
Provide the IPs? Are they ACTUAL cox or just spoofed whois entry like this network:
If not spoofed, no, the most likely case are infected PCs and insecure modems.
98.160.252.94
How do you know the 196.62.128.0 is spoofed? I get cox on some checks but other checks say it's WZ Communications.
It's most definitely a residential proxy. If you block the COX Cable ISP , you could be losing potential customers from the said ISP.
I see a few of those, usually maxmind picks them up.
Thanks for marking them up on fraud record, might save someone a headache in the future.
Meaning a hacked PC or router/modem?
Not necessarily (but quite possible - RAT / Botnet) , people tend to set up proxies for a certain price not knowing the risks involved.
Seems odd because it's only Cox Cable that I have see this on. Perhaps related to the equipment they use.
Could be equipment related, I get a lot of open proxy hits on Cox orders (which I have maxmind automatically reject).
Keep in mind that there are quite a lot of proxies hosted on residential Cox IPs, it doesn't always have to be an infected PC or a part of a botnet.
Also keep in mind it's the third largest cable ISP in the United States. Might as well block Comcast and Verizon and ATT DSL too then.
People have suggested such possibilities in cases of fraud for years and I've always laughed it off. Up until about a year or so ago I had never witnessed a case of someone tunneling through someone's home network AND using what appeared to be legitimate billing information to correlate to the location. I'm sure it happened but never to enough degree to cross my screen.
Times have changed. I no longer consider a residential IP to be evidence that a person may possibly be who/where they say they are. Nor do I have any idea how to combat this at a provider level, short of providers sharing information through things like FraudRecord.
It really is getting hard, bringing some IRC style checks (port scanning standard proxy ports and attempting to use it) to the table helps when it's just an open proxy but you can't catch them all .
Really? This is common since many years for carding. It's called vicsocks (-> victim socks) and was a core function of eg. ZeuS trojan kit (and many others). I've seen that in use since easily 2009.
Hacked modems are a newer thing but also happened then already.
What about checking the scanning the ports on an IP, and request extra verification if they have suspicious ports enabled? (e.g. proxy)
cox cable has an help document about proxy's, and about finding an proxy. http://www.cox.com/business/support/billing-and-account/article.cox?articleId=03cb0410-6b7f-11e0-4e73-000000000000
and? There is zero way to contact a user of an IP. Absolutely not relevant here.
We talk about scanning from our side on the external IP.
Yeah I'm theorizing that exploited IoT devices marked the first events where I witnessed this happening. Suppose it's possible that a few slipped by me and I just never knew though. Usually I look out for multiple signs that a customer is legitimate on chargeback though, which would be my most common alert.
If you have the Cox Cable IP address, try to key in into http://www.ip2location.com/demo to check the results. If it is VPN, open proxy, web proxy and Tor proxy, it will be shown up in the "Anonymous Proxy" field.
Softether (vpngate specifically) is a free VPN client that uses some resedential ips if you find someone hosting one on their house's conncection