The booming sector of data centers has national, local and regional regulations to take into account, no matter where your physical premises are based. Moving forward, environmental regulation is expected to become an increasingly urgent concern, but one area that is often overlooked is the potential to have one’s data center involved in fraudulent activities – and what that means for business.

Data center IP use by fraudsters

Fraudsters who run bots and botnets consider data centers a good way to hide their activity, as they are relatively inexpensive and easily accessible. This happens through IP address traders and brokerages, which provide the use of tens of thousands of IP addresses leased at relatively affordable prices.

Criminals will then program their bots to switch to a new IP, to avoid getting caught by fingerprinting algorithms. Employed by companies in various sectors to proactively prevent fraud and other cybercrime, device fingerprinting tools can be standalone or integrated into fraud detection APIs, serving to collect various data points about a website’s visitors. These include the aforementioned IP addresses, as well as user agent, screen resolution, time zone, language, installed browser plugins, installed fonts, etc. The goal is to create a profile of each user, assigning them an accurate risk score in line with the organization’s security and fraud concerns, as well as past incidents. By acquiring use of the data center IPs, fraudsters are trying to circumvent such steps – in addition, of course, to more tools and security measures they will take. In effect, data center IPs are utilized by criminals as proxies in the tens, if not hundreds, of thousands.

Ad fraud and beyond

However, data center-adjacent cybercrime goes beyond this. On November 27, 2018, eight men were charged by the US Department of Justice with criminal violations related to “perpetrating widespread digital advertising fraud”, as well as computer intrusion, wire fraud, and money laundering. Successfully infecting over 1.7 million computers through two advertising networks from 2014 to 2018, the criminals made extensive use of data centers to load ads on non-existent, spoofed webpages and computers, defrauding advertisers for more than $36 million for fake ad impressions.

This consisted of successfully simulating human views – with the ads supposed to have been displayed to real consumers, who were also supposed to have clicked through to the advertisers’ websites. Instead, this entire process was automated by the criminals. Very recently, on November 11, 2021, the reported head of this operation and self-proclaimed “King of Fraud”, Aleksandr Zhukov, was sentenced to ten years in prison in New York. As demonstrated, they had leased 765,000 IP addresses as well as 2,000 servers in data centers based in Amsterdam and Dallas.

This is just one example of how criminals utilize data centers to commit crimes, be they against businesses, governments or private individuals. Fake click and fake ad impression schemes are also known to use data center installations of virtual machine software for similar reasons – for example with the Urlspirit fake click program, which has since been added to PUP (potentially unwanted program) and malware lists. Data center IP abuse is also popular in the iGaming sector, where according to Seon internal data, 57 percent of bonus abusers use a data center IP address.

Datacenter IPs get flagged

Faced with these developments as well as in an effort to thwart new types of threats, fraud fighters and security researchers have resorted to flagging data center IP addresses as potentially problematic. Depending on the vendor’s level of sophistication, this could mean an outright ban or, as more advanced solutions have it, be one factor taken into account in tandem with several other data points, all of which will result in a unique risk score for each user and/or action.

It is more than evident that datacenter IPs are not considered trustworthy online. For example, developments have attracted the attention of both advertising companies as well as advertisers, with the Media Rating Council listing data center traffic as GIVT (general invalid traffic) since 2015. But could data center operators themselves get in legal trouble if their addresses are found to be utilized by criminals for such nefarious purposes? The short answer is that so far, this has not happened, with fraudsters caught doing this believed to be abusing rather than using the data centers’ infrastructure.

However, there are other reasons to strive to avoid this as a data center. One is brand image and reputation. Any company whose name gets associated with criminal activity in the news faces the possibility that its name will be associated with unsavory practices even if it is quite clear that the company was not a knowing participant.

Then, one has to consider disruptions due to forensic activity. Experts might have to visit the premises, even confiscate hardware that will serve as proof of the criminals’ activities, which takes up resources, can affect employee morale and reduce some of your capacity for months, if not years, until the investigation is complete and the legal proceedings wrap up.

As a data center operator, it’s best to be proactive rather than reactive. By vetting customers using advanced data enrichment as well as multi-point fingerprinting methods, state-of-the-art fraud-detection solutions can weed out users who are likely to be bad actors and either ban them outright, forward their cases for manual review, or even trigger hard KYC checks for increased peace of mind. This way, you have a clearer view of who you’re doing business with and who you are providing your services to.

Subscribe to our daily newsletters