Home cheat home: The problem with residential proxies

How hidden networks turn your home connection into a cybercrime tool

Takeaways

• Residential proxies turn ordinary home internet connections into tools for cybercriminals by hiding their activities behind trusted internet protocol (IP) addresses.
• The authenticity of residential IP addresses makes them highly valuable, as organizations are more likely to trust requests from legitimate-looking sources.
• Most residential users are unaware that their devices are compromised, underscoring the need for vigilance and proactive measures to secure home networks.

In late January, Google and its partners took action to disrupt IPIDEA, one of the world's largest residential proxy networks. In this piece, we'll explore the basics of residential proxies, examine their role in cybercrime, speak to Google's efforts in reducing proxy problems, and offer advice to keep your home network safe. 

What are residential proxies?

A proxy is an intermediary application or server that sits between your device, like a personal computer, mobile phone or home router, and the Internet. One common example is a virtual private network (VPN), which provides extra browsing security by obfuscating your real IP address. When websites check incoming IP addresses, requests from your computer appear to be from an IP address in another city, state, or country.

 

Residential proxies use your computer as the intermediary. These proxies are often installed without your permission. Instead, they are downloaded and installed by infected files or attachments. When a malicious actor sends a request through the proxy, your computer takes the request and forwards it on to the destination. The destination sees the request as coming from your IP address and processes the request. 

The reply is then sent back to your computer, which forwards it on to the unauthorized user.

In many cases, the authorized users don't notice that their computer has been compromised. 

Residential proxy networks are made up of hundreds or thousands of residential IP addresses. They are typically managed by providers or hosting companies that don't ask questions about how their customers use these IPs or why they require residential access.

The value of these residential IP addresses is authenticity—something traditional proxy infrastructure can’t easily replicate.

Consider two phone calls. One is from a trusted friend, telling you they got a great deal on a product you'd both been looking for, and where you can find it online. The other is from a company you interacted with once, offering the same information. While the content is the same, the source is different. You're more likely to trust someone you know than someone you don't.

Residential IP addresses offer the same type of confidence for organizations. If they request (seemingly) from residential users, they're inclined to extend trust.

How do they enable cybercrime?

Cybercriminals don't want law enforcement to track their location or infiltrate their network. As a result, they often mask their behavior using commercially generated IP addresses. Advancements in IT security, however, enable fraud detection systems used by financial, e-commerce, and government websites to detect and block these IP addresses.

Residential proxies allow bad actors to hijack legitimate user IP addresses and avoid detection by security tools. This is because many systems classify residential addresses as low-risk. If security frameworks can verify that IP addresses are legitimate and are tied to a residential ISP provider in a specific location, they're far less likely to flag these addresses as high risk.

This offers multiple opportunities for bad actors, including:

• Copyright infringements
• Ad fraud and click fraud
• Bypassing antifraud systems
• Password and credential spraying attacks
• Spreading social media misinformation

While there are legitimate use cases for residential proxy networks, such as online anonymity for increased individual protection or multi-location SEO monitoring for companies, these networks are often managed by companies that don't ask questions about what users are doing or why. 

Google vs. IPIDEA: disrupting residential proxy operations

One of the world's largest residential proxy networks was IPIDEA. Operated by a company based in China, the network hijacked millions of end-user devices without their consent. These devices included computers, smartphones and smart TVs. Using what are known as software development kits (SDKs), IPIDEA was able to install its proxy program onto these devices. 

In some cases, the company paid developers to include these SDKs in their applications, which in turn infected devices. IPIDEA also offered "free" VPNs that installed the proxy software when used and embedded its SDKs in free applications and games. While IPIDEA and similar networks often claim publicly that their residential proxies are obtained legitimately and with consent, analysis of IPIDEA SDKs showed they were designed to be embedded within other applications and without any mechanism for consent.

To help reduce the residential proxy risk and impede IPIDEA operations, the Google Threat Intelligence Group (GTIG) carried out three actions:

1. Took down domains used to control devices and proxy traffic.
2. Shared intelligence on IPIDEA software development kits and proxy software tools with law enforcement and research firms to improve awareness and enforcement.
3. Ensured that Google Play Protect for Android devices automatically warned users about IPIDEA applications, removed these applications if installed, and blocked any future install attempts. 

According to Google, these combined efforts have "caused significant degradation of IPIDEA's proxy network and business operations, reducing the available pool of devices for the proxy operators by millions." Although this doesn't eliminate the threat posed by IPIDEA and similar proxy networks, Google's actions have made it more difficult for malicious actors to install and operate proxy servers without user consent. 

Protecting yourself from residential proxies

If your device is compromised by a residential proxy that is then used by a malicious actor, you could find yourself in the crosshairs of law enforcement or fraud investigations. In addition, these proxies may carry malware and other payloads that impact the function of your device.

To protect yourself from residential proxies, the FBI recommends: 

• Avoiding TV streaming services that claim to provide free content, such as movies or sports
• Being cautious when using any VPN service, especially those that are free
• Only using trusted application stores and applications from well-known publishers
• Ensuring all operating systems, applications, and security tools are up-to-date

It's also a good idea to regularly run antivirus and antimalware scans on your device.

Reducing proxy risk: It's a team effort

Bottom line? While residential proxies remain problematic, global organizations such as Google are now taking steps to limit their impact. But companies can't solve this problem alone. To reduce the risk of unauthorized installation and IP hijacking, avoid streaming services that are too good to be true, take a pass on free VPNs, and always use trusted application stores when downloading new software.