Residential Proxies And The Line Between Use And Abuse - Sandra Cantero

Good morning everyone and thank you for joining my talk residential proxies and the fine line between use and abuse. In this session, I will walk you through what are residential proxies, what are the uses and abuses, how they are commercial lights, including the underground markets, how they are sourced and we will go through some documented abuse cases and at the end we will discuss some cyber security implications. First of all, let me introduce myself. I'm Sandra Cano. I'm currently working as a CTI analyst at co intelligence and my background is in criminology. So let's start with the basics. What are residential proxies? So a residential proxy is a service that roots traffic through IP addresses assigned by this PS

to real residential households. And this means that when you browse through a residential proxy, the website sees the request coming from a normal house users rather than from a board, data centers or a VPN. And that's important because uh websites tend to trust those IP more than those coming from data centers or VPN. And this means h fewer blocks and smooth access to to the websites and compared to data centers that the trust in data centers is lower and they have a higher detectivity and the IP coming from data centers are more likely to be flagged. So that's why residential proxies are interesting and this fe future let's say makes both interesting for users and

abusers. So let's move now so to the use cases. Residential proxies have a lot of uses. H businesses for example use them for co monitoring social media management price comparison at a had management but on the other side abusers can use them for credential staffing malicious automation or conducting DD attacks. So let's see it with anam an example. Imagine a marketing manager who's running an international ad marketing campaign and wants to check that the ads h show perfect in all the regions that the they are running the campaign. So he's going to use a residential proxies to browse as a user from the different different regions that he wants to check that the app is placed correctly.

And in this case he will uh um avoid the geographic restrictions and limitations that he might encounter. So he doesn't have to travel physically to those regions to check that the ads are running correctly. So in the same case, imagine an attacker that program programs bots h to click on ads repeatedly from different residential IPs and this is artificially inflates the revenue through brow activity. In this case, it's a pay per click. And in this case, the attacker is committing a fra. So now, because residential proxies are used for a wide range of uses, there's an entire business built around them. We have the reputable providers that normally offer them with a different subscriptions plans and or pay gigabyte options. They

also offer a wide range of countries where you can choose your IP to connect from. They normally have a large IP pools. So that's one of the things they mostly offer. And you can also configure your IP based on a static or rotating. And the most reputable ones also have legal disclaimers, acceptable use policies, and know your customer requirements to uh know who who's going to be the user of uh their services. So let's move now to some examples of reputable residential proxies providers. In this case, we have socks. And here we can see one of their uh price plans along with the features that are included in in every plan. And here we also can see

that they have a global IP option. Here we have the QAC policy related to Oxilaf which is another of the one of the most reputable residential proxy providers. And here we can see that they state that they only accept the 70% of the customers they they apply and they also have an abuse monitoring on place. These residential proxies reputable providers also can be abused. But when we talk about the business, there's also a a dark side of it. And here we are talking about underground markets. And the selling point here is basically the opposite. In this case, h they offer the service at the lower prices. They accept mostly cryptocurrency, not credit card. So, uh they want to keep

the payments anonymous. And they explicitly state in most of the cases that they don't require require KYC or they provide anonymous access or the activation is instant. Here we have an example of one of those advertisements in an underground forum. We can see that the price is way cheaper than the case of so provider and also in the post we can see that they explicitly state that they don't they don't check uh who's going to buy or use their services and in this case they also have a line explicitly saying that they don't really care about what are you going to do with the service that it's up to you so you can do whatever you want.

Here we have another example from another forum. The same saying no logs no key wasted. Now how do all of these providers obtain the IPS from the reputable providers obtain the the IPS mostly from let's say in theory a user uh agreement in this case we can we have via optin bandwidth sharing apps which is that the user accepts by downloading an app to share part of their internet in excense of a small quantity of money. Then we also have a software development kitsbased monetization partnerships. In this case, the developer of an application um includes the the SDK of those providers inside inside their app and in exchange he receive money and sometimes also via ESP partnerships.

I'm saying that in theory the user provides the consent here but most of the in most of the cases the user really know what they are opting into. So let's see it with an example. Here we have the earn app which which is linked to bright data which is one of the reputable providers. In this case, we can clearly see here that by downloading your app, you're sharing part of your bandwidth and in extent you're going to receive a certain amount or money. Following with prior data, we have here the SDK based monetization applications they have and they partnership with that's from their website. So, we can see here that there are a lot of applications that include

the V data SDK into them to to monetize it. And here we have an example from the terms of use of honey which is affiliated with oxy provider. And we can see here that in the terms of use it's clearly saying that the user is going to be part of the network by agreeing to use this application. On the other side how do cyber criminals obtain those residential IPS? Well in this case is via illicit ways. Most of the cases includes malware or botnet on hoped devices. They also exploit vulnerabilities or default credentials in home network equipment. They may also use deceptive proxy wear or misuse SDKs and also participate in elicit resellers ecosystems. Now let's going to move to some of the

documented abuse abuse cases. In this case, we have one of the most notorious ones, which is the 911 S5 proxy boardnet. In this case, the malware was bundled with free VPN applications. These apps installed a proxy back door, turning the victim devices into nodes for rooting the the criminal traffic. And then they offered cyber criminals paid access to those uh compromised devices. But not only cyber criminals use those services. We also have a groups. We have AP 29 which leverage residential proxies to disguise the operational traffic as normal consumer activity. Then rotate through a large number of IP legitimate IP IPs accesses compromise service anonymously and then distribute a fishing spam in a way that evaded traditional AP based

defenses. So why this matter for defenders? On one side we have the attackers advantages which are enhance anonymity as we have seen. Then we also have stio reconnaissance and scalable fraud and automation. On the other side we have some challenges for defenders which are that traditional IP based controls lose effectiveness because we cannot we cannot trust only on the IP anymore. attacks become more harder to attribute and to detect. As we have seen that since uh you are continuously rotating and using IPs that belong to real home users, it's difficult to say if this uh traffic is coming from a real home user or it's coming from a an app user. And then we also have um another challenge

which is the ethical part of the compromised consumer devices because they become part of malicious infrastructure and in the case of the user accepting to be part of these applications by selling part of their internet. I think they don't really know what could be the implications in because maybe um a thread actor is using your IP for malicious activities and you don't know and you will be implied in this malicious activity. So as main takeaways we can say that modern defenses must look beyond the IPS as I was saying and better move to device fingerprint, browse integrity, behavior patterns and proxy intelligence. And as I said at the beginning, essential proxies per se are not malicious. It all depends on the

user intent and the scale of the use of it. Oh, thank you very much.