Every day, millions of ordinary internet users grant usage of their computers, smartphones, or home routers to complete strangers — whether knowingly or not. They install proxyware — a proxy server that accepts internet requests from these strangers and forwards them via the internet to the target server. Access to such proxyware is typically provided by specialized companies, which we’ll refer to as residential proxy providers (RPPs) in this article. While some businesses utilize RPP services for legitimate purposes, more often their presence on work computers indicates illicit activity.

RPPs compete with each other, boasting the variety and quantity of their available IP addresses, which can reach millions. This market is fragmented, opaque, and poses unique risks to organizations and their cybersecurity teams.

Why are residential proxies used?

The age when the internet was the same for everyone has long passed. Today, major online services tailor content based on region, websites filter content — excluding entire countries and continents, and a service’s functionalities may differ across countries. Residential proxies offer a way to analyze, circumvent, and bypass such filters. RPPs often advertise use cases for their services like market research (tracking competitor pricing), ad verification, web scraping for data collection and AI training, search engine result analysis, and more.

While commercial VPNs and data-center proxies offer similar functionalities, many services can detect them based on known data-center IP ranges or heuristics. Residential proxies, operating on actual home devices, are significantly harder to identify.

What RPP websites conveniently omit are the dubious and often downright malicious activities for which residential proxies are systematically used. Among them:

credential stuffing attacks, including password spraying, as in the recent Microsoft breach;
infiltrating an organization using legitimate credentials — using residential proxies from specific regions can prevent suspicious login heuristic rules from triggering;
covering up signs of cyberattacks — it’s harder to trace and attribute the source of malicious activity;
fraudulent schemes involving credit and gift cards. Residential proxies can be used to bypass anti-fraud systems;
conducting DDoS attacks. For example, a large series of DDoS attacks in Hungary was traced back to the White Proxies RPP;
automated market manipulation, such as high-speed bulk purchases of scarce event tickets or limited-edition items (sneaker bots);
marketing fraud — inflating ad metrics, generating fake social media engagement, and so on;
spamming, mass account registration;
CAPTCHA bypass services.

Proxyware: a grey market

The residential proxy market is complex because the sellers, buyers, and participants are not necessarily all absolutely legitimate (voluntary and adhering to best practices) – they can be blatantly illegal.  Some RPPs maintain official websites with transparent information, real addresses, recommendations from major clients, and so on. Others operate in the shadows of hacker forums and the dark web, taking orders through Telegram. Even seemingly legitimate providers often lack proper customer verification and struggle to provide clear information about the origins of their “nodes” — that is, home computers and smartphones on which proxyware is installed. Sometimes this lack of transparency stems from RPPs relying on subcontractors for infrastructure, leaving them unaware of the true source of their proxies.

Where do residential proxies come from?

Let’s list the main methods of acquiring new nodes for a residential proxy network — from the most benign to the most unpleasant:

“earn on your internet” applications. Users are incentivized to run proxyware on their devices to provide others with internet access when the computer and connection channel have light loads. Users are paid for this monthly. While seemingly consensual, these programs often fail to adequately inform users of what exactly will be happening on their computers and smartphones;
proxyware-monetized apps and games. A publisher embeds RPP components within their games or applications, generating revenue based on the traffic routed through users’ devices. Ideally, users or players should have the choice to opt in or choose alternative monetization methods like ads or buying the application. However, transparency and user choice are often neglected;
covert installation of proxyware. An application or an attacker can install an RPP app or library on a computer or smartphone without user consent. However, if they’re lucky, the owner can notice this “feature” and remove it relatively easily;
This scenario mirrors the previous one in that the user consent is ignored, but persistence and concealment techniques are more complex. Criminal proxyware uses all means available to help attackers gain a foothold in the system and hide their activity. Malware may even spread within the local network, compromising additional devices.

How to address proxyware risks in an organization’s cybersecurity policy

Proxyware infections. Organizations may discover one or more computers exhibiting proxyware activity. A common and relatively harmless scenario involves employees installing free software that was covertly bundled with proxyware. In this scenario, the company not only pays for unauthorized bandwidth usage, but also risks ending up on various ban lists if malicious activity is found to originate from the compromised device. In particularly severe cases, companies may need to prove to law enforcement that they aren’t harboring hackers.

The situation becomes even more complex when proxyware is just one element of a broader malware infection. Proxyware often goes hand in hand with mining — both are attempts to monetize access to the company’s resources if other options seem less profitable or have already been exploited. Therefore, upon detecting proxyware, thorough log analysis is crucial to determine the infection vector and identify other malicious activities.

To mitigate the risk of malware, including proxyware, organizations should consider implementing allowlisting policies on work computers and smartphones, restricting software installation and launch only to applications approved by the IT department. If strict allowlisting isn’t feasible, adding known proxyware libraries and applications to your EPP/EDR denylist is essential.

An additional layer of protection involves blocking communication with known proxyware command and control servers across the entire internal network. Implementing these policies effectively requires access to threat intelligence sources in order to regularly update rules with new data.

Credential stuffing and password spraying attacks involving proxyware. Attackers often attempt to leverage residential proxies in regions close to the targeted organization’s office to bypass geolocation-based security rules. The rapid switching between proxies enables them to circumvent basic IP-based rate limiting. To counter such attacks, organizations need rules that detect unusual spikes in failed login attempts. Identifying other suspicious user behavior such as frequent IP changes and failed login attempts across multiple applications is also crucial. For organizations with multi-factor authentication (MFA), implementing rules that trigger upon rapid, repeated MFA requests can also be effective, as this could indicate an ongoing MFA fatigue attack. The ideal environment for implementing such detection logic is offered by SIEM or XDR platforms, if the company has either.

Legitimate business use of proxies. If your organization requires residential proxies for legitimate purposes like website testing, meticulous vendor (that is, RPP) selection is critical. Prioritize RPPs with demonstrably lawful practices, relevant certifications, and documented compliance with data processing and storage regulations across all regions of operation. Ensure they provide comprehensive security documentation and transparency regarding the origins of the proxies used in their network. Avoid providers that lack customer verification, accept payment in cryptocurrencies, or operate from jurisdictions with lax internet regulations.

Kaspersky official blog – ​Read More