Residential proxies: understanding the risks for organizations

Proxyware can make cyber attacks on organizations harder to detect – sometimes making the latter unwitting accomplices in crime.

Every day, millions of ordinary Internet users give up the use of their computers, smartphones, or home routers to complete strangers – whether they know it or not. They install proxyware – a proxy server that accepts Internet requests from these strangers and forwards them through the Internet to the target server. Access to such proxyware is usually provided by specialized companies, which we will refer to in this article as residential proxy providers (RPPs). Although some businesses use RPP services for legitimate purposes, their presence on most work computers indicates illegal activity.

RPPs compete with each other, boasting the variety and quantity of available IP addresses, which can reach into the millions. This market is fragmented, opaque, and poses unique risks for organizations and their cybersecurity teams.

Why are residential proxies used?

The days when the internet was the same for everyone are long gone. Today, major online services produce content based on region, websites filter content — excluding entire countries and continents, and service functionality may vary across countries. Resident proxies provide a way to analyze, block, and bypass such filters. RPPs often advertise use cases for their services such as market research (competitive pricing), ad verification, web scraping for data collection and AI training, analysis of search engine results, and more.

While commercial VPNs and data center proxies offer similar features, many services can detect them based on known data center IP ranges or heuristics. Identifying resident proxies that work on real home devices is quite difficult.

Proxyware: a grey market

The residential proxy market is complex because sellers, buyers, and participants are not necessarily perfectly legitimate (voluntary and following best practices) – they may be outright illegal. Some RPPs maintain official websites with transparent information, real addresses, recommendations from major clients, etc. Others operate in the shadows of hacker forums and the dark web, taking orders via Telegram. Even seemingly legitimate providers often lack adequate customer authentication and struggle to provide clear information about the origins of their “nodes”—that is, home computers and smartphones running proxy software. Installs. This lack of transparency is sometimes caused by RPPs relying on subcontractors for infrastructure, leaving them unaware of the true source of their proxies.

Where do residential proxies come from?

Let’s list the main ways to get new nodes for a residential proxy network — from the most benign to the most unpleasant:

“Earn Your Internet” Applications. Users are encouraged to run proxyware on their devices to allow others to access the Internet when the computer and connection channel are under light load. Users are paid monthly for this. While seemingly consistent, these programs often fail to adequately inform users of what is happening on their computers and smartphones;
Monetized apps and games from proxyware. A publisher embeds an RPP component into its games or applications, generating revenue based on traffic coming through users’ devices. Ideally, users or players should have the choice to opt-in or purchase alternative monetization methods such as ads or in-app purchases. However, transparency and user choice are often overlooked.
Secret installation of proxyware. An application or attacker can install an RPP app or library on a computer or smartphone without the user’s consent. However, if they are lucky, the owner may notice this “feature” and remove it relatively easily.
This scenario mirrors the previous scenario in which user consent is ignored, but the persistence and hiding techniques are more complex. Criminal proxyware uses all available means to help attackers gain a foothold in the system and hide their activity. Malware can also spread within a local network, compromising additional devices.

How to address proxyware risks in an organization’s cybersecurity policy

Proxyware infections. Organizations can discover one or more computers exhibiting proxyware activity. A common and relatively harmless scenario involves employees installing free software that was secretly bundled with proxyware. In this scenario, the company not only pays for unauthorized bandwidth usage, but also risks ending up on various ban lists if malicious activity is detected by a compromised device. In particularly serious cases, companies may need to prove to law enforcement that they are not harboring hackers.

The situation becomes even more complicated when proxyware is only one element of a wider malware infection. Proxyware often goes hand in hand with mining – both are attempts to monetize access to company resources if other options seem less profitable or have already been exploited. Therefore, a thorough log analysis is crucial when detecting proxyware, determining the vector of infection and identifying other malicious activities.

To reduce the risk of malware, including proxyware, organizations should consider implementing authorization policies on work computers and smartphones, limiting software installation and access only by the IT department. Must launch on approved applications. If strict allowlisting is not possible, it is important to include known proxyware libraries and applications in your EPP/EDR deny list.

An additional layer of protection includes blocking communications with known proxy command and control servers across the internal network. Effective enforcement of these policies requires access to threat intelligence sources to regularly update rules with new data.

Leave a Comment