Fraud Prevention

How Fraudsters Blur the Line between Suspicious and Legitimate Traffic

September, 28, 20213 min Read

Two of the biggest challenges we face as a web security vendor is gaining a good understanding of the Internet ecosystem and finding the right balance between false positives (when the system incorrectly classifies a legitimate session as suspicious) and false negatives (when the system incorrectly classifies suspicious traffic as legitimate). Fraudsters are incredibly innovative when it comes to making their request look as legitimate as possible to surf with the blurry line between false positives and false negatives. As I discussed in a previous blog article, one of the common characteristics of attack traffic is that it generally comes from proxy services. A multitude of these services like BrightData (formerly Luminati),, OxyLabs, or Storm Proxies have flourished in recent years around the Internet but so far, it was easy enough to keep a tab of them and they were not widely used by legitimate users (typically less than 10% of the traffic).

This is about to change though… Browser vendors like Brave and Opera have had a proxy or VPN solution included for a while in their software to help their users preserve their anonymity while browsing the Internet. With the latest version of iOS, Apple has joined the party with their iCloud Private Relay for Safari, which will funnel the user request through a proxy service and obfuscates its IP to the webserver. Although Safari doesn’t have the biggest market share when it comes to software to surf the web, this move definitely makes proxy usage more accessible and mainstream.

A request coming from a proxy has never been a strong indicator for us to clearly identify fraudulent activity and we typically rely on multiple signals in order to ascertain the suspicious nature of a request. However, the recent move from Apple means that the “proxy” signal will further lose its value. At the same time, we’ll also lose visibility on the actual location of the user (although Apple seems to indicate that we’ll still be able to get their approximate whereabouts). From the IP address, we can also typically infer theinfer from the ISP or company that owns the IP that information obviously will be obfuscated and show the iCloud private relay service. These sorts of changes in the Internet ecosystem to help improve user privacy are unfortunately common and they increasingly blur the line between legitimate and suspicious traffic and can have an unexpected consequence on user security and experience when using various websites.

So, my job as head of research at Arkose Labs, has gotten that much more complicated, and fun I suppose? We’re working hard to keep your users safe and secure with the highest accuracy. The good part though, At Arkose Labs we never block the traffic, even if we occasionally get it wrong, all your legitimate users will have to do is play a simple game to authenticate themselves and prove they are legitimate.