This month marks the 20th anniversary of Cybersecurity Awareness Month, and is an opportunity to bring attention to the threats that businesses and their employees face as they interact with websites, apps and other people. Launched in 2004, as a collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), Cybersecurity Month seeks to educate both businesses and people about the current and emerging threats they may encounter online.
In that spirit of awareness, this blog post covers a threat that Digital Element has seen grow to an alarming degree over the past 18 months: residential IP proxy networks.
Numerous networks offer to make thousands, even tens of thousands of legitimate residential IPs available to parties seeking anonymity online, and at very little cost. Should this matter to you?
The short answer is yes, as players who use these proxies may be doing so in order to appear like “customers” who attempt to access your site or apps, but are bots or bad actors in disguise.
What is a Residential Proxy IP Network?
Residential Proxy IP networks are networks that use the IP addresses of consumers who sign up for any number of apps that pay them to share their internet bandwidth. Those apps become gateways for other clients of the app provider. Put another way, residential proxy networks enable consumers with residential internet access to “sublet” their IP address to residential IP proxy network subscribers, enabling their internet traffic to appear as if it is originating from the sublet IP address.
These resi-proxy networks allow entities to purchase residential proxy IPs at scale, from any region desired, thereby posing a threat to all companies with gated web properties. What looks like a residential user in an appropriate location may actually be a bot or malicious actor hiding behind a proxy.
We have also seen evidence that bad actors leverage residential IP proxy networks to commit ad fraud, gift card schemes, access content that’s restricted by geo-location, as well as crawl government and other websites searching for PII data, such as Social Security numbers or other government ID numbers.
While residential proxy IP networks have been available for some time, what is changing is the exponential growth in both the number of networks and their scale. Certain proxy networks boast access to hundreds of thousands of residential IP addresses, which are made available to anyone willing to pay. This escalation demonstrates the need for heightened vigilance and robust security measures to combat the risks associated with these networks.
Building a Pool of Residential IP Proxies
How do residential IP proxy networks obtain those thousands of IP addresses? The networks rely on multiple strategies, such as providing an SDK to app developers who want to monetize their apps, or convincing the provider of a browser extension to include their code. They can also leverage a botnet to obtain residential IPs.
Consumers also play an important role in residential proxy IP networks, often unwittingly. The proxy networks tell consumers that by sharing their internet bandwidth, they can earn easy money. To get paid, all the consumer needs to do is install an app — Pawns.app, Honeygain, Peer2profit, PacketStream to name a few — and start collecting passive income. The amount of money they earn isn’t huge; payments range from $.20 per GB per shared data to $75 per month. Still, it’s easy money.
The networks inform consumers that their Internet will be shared, and some, such as Honeygain, verify the use cases of its clients. Others, such as 911 S5, offer free VPN services to consumers, and harvest their IP addresses with their consent.
Consumers have no way of knowing who uses their IP address, and to what end. They are just left to trust the service. Some of the apps promise that the consumer’s data will only be sold to “credible” companies that use it for verified use cases, such as competitive analysis. But this still exposes consumers to risk. A bad actor may use their IP addresses to engage in DDoS or other nefarious attacks, resulting in a permanent ban from some sites.
This isn’t a theoretical risk. We know that residential proxies have been used in a range of crimes, including ad fraud and DDoS attacks. In the summer of 2022, the FBI seized the website Rsocks.net and shut down a botnet that engaged in malicious activity with the help of a residential proxy network.
Dangers Residential IP Proxy Networks Pose to Security Teams
Every organization has multiple layers of security, including web application firewalls (WAFs) and content delivery networks (CDNs). Unfortunately, the proliferation of residential proxy networks means these tools have a significant blind spot that must be addressed.
A WAF protects your web applications by monitoring, filtering, and blocking malicious HTTP/S traffic traveling to a web application, and prevents unauthorized data from leaving the application. It does this by adhering to a set of policies, including context around the IP address, that help determine which traffic is malicious and which is safe. If for instance, corporate security policy mandates that all non-residential IP addresses, as well as addresses from a specific geolocation be blocked, the firewall will block all traffic that matches that criteria.
If, however, the traffic is residential and has a geo-location that is permissible, it will be deemed legitimate. Today, however, those two data points are no longer sufficient, and security teams need a lot more context around IP addresses to understand their incoming traffic.
But while WAFs and CDNs can be deployed to protect organizations against things like scraping and DDoS attacks, they can be tricked into providing access to your network if the attackers are using the services of a residential proxy network. And in case you’re wondering, these residential proxy services aren’t very expensive to use.
How Digital Element Detects Residential IP Proxies
Digital Element devotes tremendous resources to maintaining the most accurate and meaningful IP geolocation data for our customers. Included in that is our ongoing focus on emergent technologies, such as residential proxy networks, to ensure our customers can depend on us not only for reliable geolocation data, but also insights regarding important shifts that could impact your business.
IP addresses contain a lot of contextual data that help us predict the legitimacy of a user behind a device. That contextual data includes attributes such as activity level and IP stability. We know, for instance, that proxied IP addresses are shared by clients all over the world, so they are likely to be seen in multiple locations. That’s an important insight for clients; if an IP address remains consistently associated with a specific location for an extended period, it is less likely to be a proxy.
IP address intelligence data, such as activity levels and stability, can’t decipher between legitimate and illegitimate users alone, but it can provide much needed context that organizations can use to make smart decisions to protect their advertising budgets and corporate data.
Digital Element’s Nodify Threat Intelligence solution provides critical contextual information to help identify inbound or outbound traffic tied to VPNs, proxies, or a darknet. In turn businesses are enabled with powerful insights that help them protect against nefarious actors while reducing risk and cost.
Focus on Residential IP Proxy Network Traffic this Cybersecurity Awareness Month
As a cybersecurity professional, you’re well aware of the cybercriminal’s astute skills and motivation to innovate new methods to find their way into corporate systems so they can steal data. Cybersecurity Awareness Month is a good time to take time out of busy schedules to do a deep dive on the cybercriminal’s newest tools.
If you’d like to learn more about Nodify and residential IP proxy traffic detection, visit https://www.digitalelement.com/solutions/threat-intelligence/nodify/ or reach out to firstname.lastname@example.org