Anti-Phishing with Proxies: How Security Teams Use Mobile IPs

Phishing attacks are surging across Southeast Asia. Financial institutions, e-commerce platforms, and government services in Singapore, Malaysia, Thailand, the Philippines, and Indonesia are all frequent targets. Security teams tasked with detecting and taking down phishing sites face a fundamental challenge: phishing operators are sophisticated, and they actively hide their malicious content from researchers.

Mobile proxies have become an essential weapon in the anti-phishing arsenal. They allow security teams to access phishing sites as real users would, bypassing the cloaking techniques that phishers use to evade detection. This article explains how security teams use mobile proxies for phishing detection, investigation, and takedown operations across Southeast Asian markets.

The Phishing Landscape in Southeast Asia

Scale of the Problem

SEA is a high-growth target for phishing campaigns:

Banking phishing — Fake login pages for DBS, OCBC, Maybank, Bangkok Bank, BDO, and BCA are among the most common phishing lures in the region
E-commerce phishing — Shopee, Lazada, and Tokopedia account phishing is widespread, especially around major sale events
Government services — Fake MySejahtera (Malaysia), SingPass (Singapore), and Pedulilindungi (Indonesia) pages have been used to steal personal data
Payment platforms — GrabPay, GCash, ShopeePay, and OVO phishing targets mobile wallet users
Messaging-based phishing — WhatsApp, LINE, and Telegram are used to distribute phishing links, particularly targeting mobile users

Why SEA Is a Target

Several factors make Southeast Asia attractive to phishers:

Rapid digital adoption — Millions of new internet users who are less experienced at spotting phishing
Mobile-first population — Phishing on small screens is harder for users to detect (truncated URLs, smaller security indicators)
Multiple languages — Phishers create localized lures in Thai, Bahasa, Tagalog, and other languages
Growing digital financial services — More online banking and digital payments means more valuable credentials to steal

How Phishers Evade Detection

Understanding evasion techniques is critical to understanding why proxies matter for anti-phishing work.

IP-Based Cloaking

Phishers detect and block security researchers by IP:

Blocklisting security vendor IPs — Known IP ranges of security companies are served benign content instead of the phishing page
Datacenter IP blocking — Traffic from datacenter IPs is redirected to legitimate sites or shown blank pages
Geo-restricting phishing content — Phishing pages targeting Thai bank customers may only display to Thai IPs; other visitors see a benign page or a 404 error

User-Agent and Device Filtering

Phishing pages may only render on mobile browsers, since their targets are mobile users
Desktop user agents may be served different content
Bot-like signatures trigger cloaking

Time-Based Evasion

Phishing pages go live, collect credentials for a few hours, then go dark
Some phishing kits detect repeated visits and shut down after a threshold
Pages are served only during peak hours in the target timezone

Referrer-Based Filtering

Phishing pages may only show malicious content when accessed through specific referrers (e.g., a phishing SMS link) rather than direct navigation
Security researchers visiting directly may see clean content

How Security Teams Use Mobile Proxies

Phishing Site Detection

Security teams use mobile proxies to scan for active phishing sites from the perspective of potential victims:

Geo-specific scanning:

Connect through mobile proxies in each SEA country to check reported phishing URLs. A phishing page targeting Maybank customers in Malaysia may only display to Malaysian mobile IPs.

Target	Proxy Country	Carrier	Expected Behavior
Maybank phishing	Malaysia	Maxis	Shows fake login page
Maybank phishing	Singapore	Singtel	Shows 404 or redirect
DBS phishing	Singapore	StarHub	Shows fake login page
DBS phishing	Thailand	AIS	Shows benign content

Mobile device simulation:

Since many phishing pages target mobile users exclusively, security teams must use mobile proxies combined with mobile user agents and screen resolutions. This combination ensures the phishing page renders as it would for a real victim.

DataResearchTools mobile proxies provide carrier-level IPs across SEA markets, which is critical for bypassing the geo-based cloaking that phishers commonly employ in the region.

Phishing Investigation

Once a phishing site is detected, security teams conduct deeper investigation:

Evidence collection workflow:

Connect through the appropriate mobile proxy — Match the target country and carrier
Access the phishing URL — Load the page in a sandboxed browser
Capture full-page screenshots — Document the phishing page as victims see it
Save the page source — Download complete HTML, CSS, JavaScript, and images
Record network traffic — Capture HAR files showing all requests, including where stolen credentials are sent
Identify the phishing kit — Analyze the code to determine which phishing kit is being used
Map the infrastructure — Identify the hosting provider, domain registrar, and any related domains
Check for credential exfiltration endpoints — Identify where the phishing form sends stolen data (often Telegram bots, email addresses, or remote servers)

Multi-carrier verification:

Access the phishing page from different carriers within the same country to confirm it is broadly accessible to potential victims, not just targeting a specific carrier’s users.

Monitoring Phishing Campaigns Over Time

Phishing operations often use multiple domains in rotation. Security teams use mobile proxies to:

Track domain rotation — As one phishing domain is taken down, monitor for the next one to appear
Monitor distribution channels — Check SMS gateways, messaging apps, and social media for new phishing links being distributed
Profile the attacker — Repeated monitoring through different IPs helps identify patterns in phishing kit deployment, hosting choices, and credential collection methods

Phishing Takedown Operations

Once evidence is collected, security teams initiate takedowns:

Hosting provider abuse reports:

Submit evidence (screenshots, source code, network logs) collected through mobile proxies
Include the proxy geo and carrier information to demonstrate the phishing page was accessible to real users in the target market
Many hosting providers require proof that the content is actually malicious, not just a parked domain

Domain registrar complaints:

File UDRP (Uniform Domain-Name Dispute-Resolution Policy) complaints for domains that infringe on brand trademarks
Provide evidence collected from mobile proxy sessions showing the phishing content

CERT coordination:

Work with national CERTs in each SEA country:

SingCERT (Singapore) — Cyber Security Agency of Singapore
MyCERT (Malaysia) — CyberSecurity Malaysia
ThaiCERT (Thailand) — Thailand Computer Emergency Response Team
CERT-PH (Philippines) — Department of ICT
ID-CERT / BSSN (Indonesia) — National Cyber and Crypto Agency

Browser and search engine blocklisting:

Submit phishing URLs to Google Safe Browsing and Microsoft SmartScreen
Provide evidence that the URLs serve malicious content when accessed from mobile IPs in the target region

Building an Anti-Phishing Monitoring System

Architecture

A comprehensive anti-phishing system using mobile proxies includes:

Feed ingestion:

Phishing URL feeds (PhishTank, OpenPhish, internal reports)
Brand monitoring alerts (domain registrations similar to your brand)
Threat intelligence feeds
User reports and abuse inbox

Proxy-based verification:

def verify_phishing_url(url, target_country):
    """Check if a URL serves phishing content from a target country."""
    proxy = get_mobile_proxy(country=target_country)

    # First attempt: mobile browser simulation
    response_mobile = fetch_with_proxy(
        url=url,
        proxy=proxy,
        user_agent="mobile",
        timeout=30
    )

    # Second attempt: different carrier
    proxy_alt = get_mobile_proxy(
        country=target_country,
        carrier="alternative"
    )
    response_alt = fetch_with_proxy(
        url=url,
        proxy=proxy_alt,
        user_agent="mobile",
        timeout=30
    )

    # Analyze responses for phishing indicators
    indicators = check_phishing_indicators(
        response_mobile,
        response_alt
    )

    return {
        "url": url,
        "is_phishing": indicators["score"] > 0.7,
        "confidence": indicators["score"],
        "evidence": indicators["details"],
        "screenshots": [response_mobile.screenshot, response_alt.screenshot]
    }

Analysis engine:

Compare page content against known phishing templates
Check for brand impersonation (logos, color schemes, language)
Analyze form actions to identify credential harvesting
Use ML classifiers trained on known phishing pages

Alerting and response:

Real-time alerts for confirmed phishing pages
Automated takedown request submission
Dashboard showing active threats per market

Continuous Monitoring Best Practices

Check URLs from multiple geos — A URL may be a phishing page for one country but benign for others
Test at different times — Phishing pages may be time-limited; check during business hours in the target timezone
Use fresh IPs — Rotate mobile proxies to avoid being blocklisted by the phisher
Monitor post-takedown — After a takedown, continue monitoring the same URL and related domains for resurrection
Track patterns — Build profiles of repeat phishing operators based on their techniques, infrastructure choices, and targeting patterns

Security Team Workflows

Threat Intelligence Enrichment

Security analysts use mobile proxies to enrich threat intelligence:

Access suspicious URLs safely from a geo-appropriate mobile IP
Determine if a reported URL is actively serving phishing content
Collect technical indicators of compromise (IoCs) for sharing with the security community
Cross-reference hosting infrastructure with known threat actor groups

Incident Response Support

During active phishing incidents:

Rapidly assess the scope of a phishing campaign across multiple SEA markets
Determine which markets are being targeted
Collect evidence for law enforcement referral
Monitor the phishing page in real time during the takedown process

Proactive Brand Monitoring

Security teams use mobile proxies proactively to:

Scan newly registered domains that resemble their brand
Check if these domains are serving phishing content in any SEA market
Monitor certificate transparency logs for SSL certificates issued to suspicious domains
Test URLs extracted from spam and phishing emails received by the organization

Technical Considerations

Safe Browsing Environment

When accessing phishing sites, security teams must protect their own systems:

Use sandboxed or virtual machine environments
Never enter real credentials into phishing forms
Disable JavaScript execution on first pass (some phishing kits use JS for cloaking or exploit delivery)
Use read-only browser profiles
Route all traffic through the mobile proxy to avoid exposing the team’s real IP

Data Handling

Phishing investigation data may contain sensitive information:

Store evidence securely with access controls
Handle any intercepted credentials with extreme care
Follow your organization’s data handling policies
Retain evidence for the duration required by legal and compliance teams

Legal Frameworks

Anti-phishing operations must comply with local laws:

Accessing phishing sites for investigation purposes is generally permitted for security researchers
Collecting and storing phishing page content is standard practice for evidence
Coordinating with law enforcement is recommended for large-scale phishing operations
Each SEA country has specific cybercrime laws that may affect investigation methods

Conclusion

Phishing remains one of the most damaging cyber threats across Southeast Asia, and the sophistication of phishing operations continues to increase. Mobile proxies give security teams the ability to bypass cloaking, see phishing pages as real victims would, and collect the evidence needed for effective takedowns. By combining mobile proxy infrastructure from providers like DataResearchTools with automated monitoring, structured investigation workflows, and coordination with regional CERTs and law enforcement, security teams can significantly reduce the lifespan and impact of phishing campaigns targeting their organizations and users.