Residential Evil: Addressing the Role of Anonymization Infrastructure in Cybercrime with Tom Kilmer from Spur
Reading time: 14 minutes
In recent years, more emphasis is put on privacy concerns and data security while online. The shields at the forefront of this battle for privacy and secure internet access are VPNs and proxies, and more notably residential IP proxies. While claiming to offer anonymization to users, residential proxies also account for some security issues.
Residential IP proxies are used for ads, shopping, and social networks, but a number of them are used for malicious purposes. Cyber criminals and bot developers are anonymizing their traffic using residential IP proxies, whose small footprint makes them harder to detect.
Spur Intelligence started as an industry exposé of VPNs, residential proxies, malware proxies and other anonymization behaviour, and their role in cybercrime and fraud. Thomas Kilmer and his co-founder Ethan Smith started Spur in 2017 and today they are a multi-purpose IP context provider.
To aid in understanding the role anonymization infrastructure plays in the cybercrime realm, we chatted with Tom Kilmer. We met (virtually) with Tom in Orlando, and heard his backstory, how he discovered the need for a service like Spur, and how they have been positioning themselves as an "anti-TI" vendor in the IP reputation space.
SecurityTrails: Tom, you finished a BS in Computer Science in Texas and after that, had some experiences in the public sector before joining Team Cymru and later Redacted. Can you tell us more about that time?
Thomas Kilmer: After graduating college in 2011, I went to work for the Department of Defense in Maryland. I consider the nearly 3 years I spent in the public sector a continuation of my education. I also met the co-founder of Spur, Ethan Smith, during that time.
Although I enjoyed my time with the government, I also wanted to experience the private sector. At the recommendation of a mentor, I moved with my wife to Florida in 2014 and joined Team Cymru. Cymru was different from my government experience and it provided me with a wealth of knowledge and experiences that would prove invaluable nearly 3 years later at Spur.
In late 2016, my buddies from my time in the government called to let me know they were joining up with some folks from Silicon Valley to tackle problems facing the private sector. It sounded very exciting as I knew being part of a start-up would provide the necessary experiences to eventually start my own company.
I met back up with Ethan and others at Redacted. We were responsible for building a lot of the backend infrastructure in-between stress tests and trying to automate as much of the process as possible. We were exposed to a lot of 3rd party data, threat intelligence products and platforms, which gave us incredible insight into the state of security at a lot of high profile companies. However, our roles were not lending themselves to growth outside of a technical one. With that thought, we decided to take the leap and created Spur.
How did you leverage your past experiences in making the jump from the private sector to becoming an entrepreneur and running your own company?
Tom: I had no idea what I was doing. I had a lot of experience interfacing with customers, performing data acquisition, and building technical solutions. At both Cymru and Redacted I would often think to myself how easy the non-engineering teams had it. The more I talk with technical folks, I realize it is a very common sentiment. But I was wrong. Bizdev is hard. Sales is hard. General business management and keeping up with filings is tedious.
We took a very alternative approach to starting Spur. We wanted to be employee owned and not raise outside funding. Our mentors all told us it was a doable but much slower process and that we would have to be very careful. We sought out contract work from the connections we made throughout our careers. We knew it would be a split of time between contracts and our own work, but we'd ultimately build a product that would be ours.
Luckily, we have an amazing advisory board. Rabbi Rob Thomas, CEO of Team Cymru, has been an excellent resource for navigating the very difficult and foreign process of starting a business. He subjected his C-suite to several of our product pitches as we were working on getting it right. The early-days pitches were rough, but they were good sports about it. The feedback we got from his team was invaluable while building our original offering.
You took an alternative route when starting Spur. What was the market gap you were set to fill in Spur's early days?
Tom: We were incredibly naive at first. We bit off way more than we could chew. For some reason, we thought we could build a single graph interface using GraphQL to connect all of the 3rd party data sources. Our goal was to remove the engineering knowledge required to interface with all of these data sources so analysts could build datasource agnostic analytics. If someone wanted to use FarSight for their analytics but decided to switch to SecurityTrails, it wouldn't require months of engineering time.
Not only was this product overly ambitious, it had a steep learning curve. This just ended up swapping one engineering headache for another.
Our product kept getting simpler from there. Originally, we really did not want to be a data company. It took about a year for us to make our first pivot. We began offering specific analytics built on our GraphQL backend. Not only did this simplify our own offerings, it lowered the bar for integrations with clients. This process of slowly narrowing our scope continued until we finally honed in on our current offering.
Around July of 2019, I got asked for help in a current investigation involving an APT actor. He knew we were working on an IP clustering project for our risk clients. Our goal there, to identify the Comcast and Verizon business IPs that a company was using, allowed us to determine if there were any office IoT devices or services that might be missed in a traditional report. He had a list of 10 or so IPs that were performing this activity. I noticed the cluster of IPs that the first IP was in, included all 10 of his suspect IPs. Additionally, it had 20 or so other IPs around the world. One after another, I realized the IP immediately above or below one of the suspect IPs had IPSec open. Unfortunately, none of the current VPN detection feeds identified these as VPNs. And even if they did, they wouldn't tell me which service it was. Was it a commercial service with other people? Was it private and dedicated to just this actor? So many questions and not a single product that answered them.
In the startup process, there is that mythical moment of finding a product-market fit. It is, indeed, very hard to go from idea to traction on the road to product-market fit. How did you process look like?
Tom: After that investigation in July, we started the process of building our IP context product. We wanted to get as much unique information as possible about an IP to put it into perspective. It started out as simply identifying VPNs and proxy services, and labeling estimated user counts. I casually mentioned it to a couple of our existing clients and they were immediately interested. By the end of October, we had a proof of concept feed that labeled maybe 10 popular VPN services and 4 proxies. We already had 2 customers for this proof of concept. We knew we had something.
Today, we have customers from fields like finance, healthcare, and e-commerce using our feeds for general security to fraud prevention. We currently label ~350 VPN services and 14 proxy providers that cover nearly 10M IPs/day. This is the first September that we are not in the middle of a product review. For the first time, we are prioritizing product delivery and access methods. After nearly 3 years, Spur has complete clarity on our purpose and product.
What is the role of anonymization infrastructure in fraud and cyber attacks as the scope of it is still not widely understood?
Tom: That is a really hard question to answer. It really depends. Anonymization services are an incredibly easy way for an actor to get a large swath of IPs, with little oversight of their activities. It is an easy way for these actors to protect themselves for as little as $3, and blend in with the activities of hundreds of other users.
We partnered with Andrew from GreyNoise about six months ago to start marrying our two datasets together. We quickly identified a lot of overlap between IPs labeled "malicious" and VPN services offering "no-log" policies. We even recently released a report showing our data applied to some free threat intelligence feeds. There is a lot of overlap with these VPN services. Like I said, it is an easy and cheap way for an attacker to hide their activity.
Residential proxy networks are a lesser known threat. Could you explain to us what residential proxies are, and why we might be running one in our network without knowing?
Tom: Anyone that talks to me about Spur for 10 minutes, finds out I am very passionate about residential proxies. Almost nobody knows what they are. To put it simply, it is a quasi-legitimate service that sells proxy access to millions of IP addresses for a number of purposes. These IP addresses are sourced by people like you and me. You may download a game on your phone and unknowingly agree to the terms of service enabling these proxy companies to use your internet connection.
The application developers embed these SDKs into their apps as an alternative revenue stream and get paid per MB of traffic that is proxied through their application.
If you are on a limited bandwidth plan, that might mean these services are costing you actual money. Additionally, anything malicious or fraudulent they perform will be attributed back to you. If you take your device to work and connect to their network, these proxy companies will then have access to that connection. In the best case, the proxy customers activities are attributed back to your company. In the worst case, the proxy customers can access internal company documents. Some of these services do not filter access to intranet sites.
Once you buy a residential proxy, it's a good idea to test it for legitimacy and any potential operational issues. How can users test a residential proxy?
Tom: I see two major issues with residential proxy services. The first is how they source their millions of IP addresses. I firmly believe services utilizing embedded SDKs are no different than malware. Most of these consumers are unaware of the risk and implications that they often are unknowingly agreeing to. If I were looking to use a residential proxy service, I would want to use a service that ethically sourced these IP addresses. NetNut proxy service is a good example of a service that does exactly that. They buy unused IP space from ISPs around the world. As opposed to giving app developers an alternative revenue stream, they give ISPs. In this case, there is no "victim."
The second problem is the purpose. Residential proxies are used to circumvent "unfair" limitations some sites impose. That "unfair" comment is taken directly from spider.com's front page. The web services that are being scraped and crawled impose these limitations on purpose, whether for bandwidth conservation or protection of intellectual property. What rights do these proxy services have for enabling this behavior? Almost every "legitimate" purpose these companies state, could be performed by datacenter IP space that is properly attributed to the company performing the activity.
In my opinion, there is no legitimate residential proxy service.
What are some real life examples of residential proxies enabling fraud?
Tom: Limited edition releases are the most recent examples that people may be unaware of. Services like GeoSurf pride themselves on providing clean IPs for bots to use to purchase sneakers. There is a whole service called sneaker bots. Recently, you may have noticed, playstation 5 reservations and Nvidia GeForce 3080 cards instantly sold-out. Although this did not affect the bottom-line for the respective companies, it was a PR nightmare. These services enable this behavior for scalpers.
This might seem pretty benign to some, however, we did encounter a case of e-commerce fraud that was exactly that, fraudulent. During a major release a couple years ago, bots utilizing residential proxy services added items to their carts at record speeds. But they did something different, they didn't purchase the items. The shopping cart platform reset after a few minutes and released the items to the next set of buyers. However, bots would scoop those up again. Eventually, all the items sold. Reports to their shareholders showed the release as under their projections. Stock prices were temporarily affected due to the underwhelming release day sales. This was a denial of inventory attack enabled by these proxy services. We can only speculate the motivations of such an attacker.
Fraudsters will use either a datacenter proxy or a residential proxy. What makes residential proxies a much more dangerous enabler?
Tom: Open proxies on the internet are very easy to use. There are several services out there selling a list of these open proxies as they identify them. It is very cheap and has low sophistication. However, almost all of these IP addresses are blacklisted. This is because it is easy to identify and block.
Residential proxies are vast. I was recently talking to Andrew Morris, and I mentioned the scale of a service like Luminati and he was dumbfounded. He could not believe someone could pay $500/mo to a service like Luminati and have access to millions of clean IP addresses. Instantly. The scale of these services outnumber VPN services 100-to-1. What is a defender to do? These IP addresses have real users on them. Are we going to block Grandma from accessing their banking platform because they unknowingly downloaded a bad application? It is incredibly difficult to solve, and our first step is awareness. Defenders can't begin to start formulating a response if they don't know this problem exists.
What are some other indicators of fraudulent behaviour?
Tom: We talked a lot about residential proxies and commercial VPN services, but Spur is really a multi-purpose IP context provider. One of the services we provide is identifying where the users of an IP address are located vs where the IP address is geolocated. For instance, MaxMind might say an IP is physically located in New York. We will tell you that, plus we will tell you that the users are actually located in Iran. This is one of the ways we help our customers identify potential geo fraud.
Spur's data from a country report showing which countries users in Iran like to use. Iranians want to exit out of the United States, Europe, and Japan.
How does Spur's data empower security researchers and what are the use cases of your data?
Tom: Spur does not make an assessment on the maliciousness of an IP address. We want our customers and users to have all the information they need to make an informed decision. Not Every customer has the same risk profile, so it is not up to us to make a judgement.
Part of the context we provide is information that might attribute the IP address to a public access point. We provide SSID names for public WiFi access points. This helped one researcher track malicious activity back to an IP to better understand what their actor was doing. Our data revealed it was a Walmart that performed the malicious activity. It is hard to judge a public WiFi that has hundreds of users per week by the activity of one person.
What did you identify as the biggest issue with IP reputation and threat intelligence feeds and how to fix it?
Tom: They lack context. There is a huge difference between the activities performed on an IP address and the owner of that IP. In our evaluation of free IP reputation feeds, we identified 14% of IPs on one particular list as mobile gateways. Mobile gateways service hundreds of users. In the majority of cases, most of those users are benign. Not every organization would want to blanket block hundreds of legitimate users. Without context, how can an organization judge what to do with these indicators.
We have been positioning ourselves as an "anti-TI" vendor because we want to reframe the discussion. It would be very arrogant of me to tell my clients what is good or bad for their business, when I have never worked directly in their fraud departments or SOC. By providing them with the facts surrounding an IP address, I empower my clients to make the right decision for their own respective businesses.
What can we expect of Spur in the future, what are you working on at the moment?
Tom: We are working really hard to deliver the data to our customers in the ways they need it. We are actively engaged with several platforms, building integrations so our data directly fits into our clients' existing workflow.
On new features, we will be releasing some new API fields in the next month that will help our clients know when an IP address has changed ownership. This will provide the context our clients need to accurately age-off indicators that are no longer relevant, or identify when an actor starts using this infrastructure to perform their campaigns. It is just another step towards fully understanding the context of an IP address.
Make sure to follow Tom and Spur and be first in line to find out about their new features. Check out for our other interviews while we're waiting for a new one to drop!
