Back to Intelligence

Defending Against 'Clean' Residential Proxy Carding: Identity Evasion Detection

SA
Security Arsenal Team
July 19, 2026
5 min read

The landscape of carding has shifted dramatically. Traditional defenses relying on IP reputation and simple geolocation blocks are increasingly ineffective. Cybercriminals are now aggressively sourcing "clean" residential proxies—IP addresses with no prior malicious history—and combining them with sophisticated browser fingerprinting and device profile manipulation. By synchronizing a rotating residential IP with a consistent, spoofed device identity, attackers can bypass modern fraud detection systems that look for "trust" signals rather than just malicious indicators. Defenders must move beyond static blocklists and focus on behavioral analysis and identity integrity.

Technical Analysis

Threat Vector: Advanced Carding and Fraud Evasion

Mechanism of Attack: Attackers utilize residential proxy networks (RPNs) to route traffic through consumer-grade devices (IoT, home routers), assigning them "clean" reputations. To maintain session continuity and trust scores while rotating these IPs, they employ "anti-detect" browsers and device fingerprint spoofing tools.

  1. Identity Pairing: The attacker uses a device profile that generates a persistent browser fingerprint (Canvas, WebGL, AudioContext).
  2. IP Rotation: Every few requests, the traffic is routed through a different "clean" residential exit node.
  3. Evasion: The fraud detection system sees a "trusted" device (consistent fingerprint) connecting from a "trusted" residential IP, bypassing rules designed to flag datacenter proxies or rapid IP changes.

Affected Assets:

  • E-commerce checkout pages
  • Banking and financial services portals
  • Login and account management endpoints

Detection & Response

Defending against this requires detecting the tooling used by attackers (anti-detect browsers) on your endpoints (insider threat/compromised admin) and analyzing network traffic for anomalies at the perimeter.

Sigma Rules

The following rules target the endpoint execution of tools commonly used to manage these device profiles and residential proxies, as well as network indicators of a compromised host acting as a proxy node.

YAML
---
title: Potential Anti-Detect Browser Execution
id: 9a8f7c21-6e5d-4b3a-9c1d-2e4f6a8b0c1d
status: experimental
description: Detects the execution of known anti-detect browsers often used to manage browser fingerprints for carding and fraud operations.
references:
  - https://www.bleepingcomputer.com/news/security/inside-the-search-for-clean-residential-proxies-for-carding/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1027
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\incogniton.exe'
      - '\kameleo.exe'
      - '\multilogin.exe'
      - '\linken sphere.exe'
      - '\ghostbrowser.exe'
  condition: selection
falsepositives:
  - Authorized fraud testing or QA activities
level: high
---
title: Suspicious Proxy Service Listening Ports
id: 4d3e2c10-9b8a-4f7d-6e5c-1a2b3c4d5e6f
status: experimental
description: Detects processes listening on common proxy ports which may indicate the endpoint is part of a residential proxy botnet.
references:
  - https://www.bleepingcomputer.com/news/security/inside-the-search-for-clean-residential-proxies-for-carding/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 8080
      - 3128
      - 1080
      - 9050
    Initiated: 'false'
  filter:
    Image|contains:
      - '\Program Files\'
      - '\System32\'
  condition: selection and not filter
falsepositives:
  - Legitimate web server or proxy software
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for carding activity by looking for a high number of failed authorization attempts or card declines originating from a diverse set of IP addresses but sharing a suspiciously consistent User-Agent or other device fingerprint headers.

KQL — Microsoft Sentinel / Defender
let TimeRange = 1h;
let FailedTransactions = materialize (
    DeviceNetworkEvents
    | where Timestamp > ago(TimeRange)
    | where ActionType in ("ConnectionFailed", "PaymentDeclined", "AuthFailure") // Customize based on your logs
    | project Timestamp, SrcIpAddr, DeviceName, UserAgent, AdditionalFields
);
let IpCount = FailedTransactions
| summarize count() by SrcIpAddr, UserAgent
| summarize IpCount = dcount(SrcIpAddr) by UserAgent
| where IpCount > 10 // Threshold: Same User-Agent from > 10 distinct IPs
;
FailedTransactions
| join kind=inner (IpCount) on UserAgent
| project Timestamp, SrcIpAddr, UserAgent, DeviceName
| sort by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of installed anti-detect browsers or configuration files associated with browser fingerprint manipulation on the endpoint.

VQL — Velociraptor
-- Hunt for Anti-Detect Browser Artifacts
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs='*/AppData/Local/Incogniton/*')
WHERE NOT FullName =~ '%recycle%'

UNION ALL

SELECT FullPath, Size, Mtime, Atime
FROM glob(globs='*/AppData/Local/Kameleo/*')
WHERE NOT FullName =~ '%recycle%'

UNION ALL

-- Hunt for suspicious proxy configuration files
SELECT FullPath, Size, Mtime
FROM glob(globs='C:/Windows/System32/drivers/etc/hosts')
WHERE 
   -- Read content and check for known proxy redirections or suspicious entries
   read_file(filename=FullPath) =~ 'proxy' OR read_file(filename=FullPath) =~ 'tor'

Remediation Script (PowerShell)

This script assists in identifying and blocking unauthorized proxy settings and checking for the presence of known anti-detect tools.

PowerShell
# Check for common Anti-Detect Browser Installations
$PathsToCheck = @(
    "$env:LOCALAPPDATA\Incogniton",
    "$env:LOCALAPPDATA\Kameleo",
    "$env:LOCALAPPDATA\Multilogin",
    "${env:ProgramFiles(x86)}\Linken Sphere"
)

foreach ($Path in $PathsToCheck) {
    if (Test-Path $Path) {
        Write-Warning "Suspicious anti-detect software found at: $Path"
        # Optional: Remove-Item -Path $Path -Recurse -Force
    }
}

# Check for Proxy Settings Changes via Registry
$ProxyPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
$ProxyEnable = Get-ItemProperty -Path $ProxyPath -Name "ProxyEnable" -ErrorAction SilentlyContinue

if ($ProxyEnable.ProxyEnable -eq 1) {
    $ProxyServer = Get-ItemProperty -Path $ProxyPath -Name "ProxyServer" -ErrorAction SilentlyContinue
    Write-Warning "Proxy is enabled on this machine: $($ProxyServer.ProxyServer)"
    # Investigate if this is authorized corporate proxy or a residential proxy client
}

Remediation

To effectively mitigate the threat of "clean" residential proxies and identity evasion:

  1. Implement Device Fingerprinting Integrity: Move beyond static device IDs. Monitor for integrity changes in the fingerprint generation process (e.g., detecting if the fingerprint is being injected or spoofed via automation).
  2. Behavioral Velocity Analysis: Configure WAF and fraud detection rules to trigger on high-velocity actions (checkout attempts, login retries) regardless of IP reputation. If a single device fingerprint attempts 100 transactions from 50 different IPs in one minute, block the device identity, not just the IP.
  3. Network Segmentation: Ensure IoT devices and guest networks cannot communicate with internal management systems to prevent them from being recruited into residential proxy botnets.
  4. Patch and Update: Ensure all edge devices (routers, firewalls) are updated to prevent compromise as proxy nodes.
  5. Block List Integration: While "clean" proxies avoid standard blocklists, integrate with threat intelligence feeds that specifically identify proxy ports and proxy services rather than just IP addresses.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemcardingresidential-proxiesfraud-detectionthreat-huntingbrowser-fingerprinting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.