Alert Number: I-031226-PSA |

Evading Residential Proxy Networks: Protecting Your Devices from Becoming a Tool for Criminals

The Federal Bureau of Investigation (FBI) is publishing this Public Service Announcement (PSA) to raise awareness of residential proxies, the risks they pose, and steps the public can take to safeguard their devices from becoming part of a residential proxy network. Cyber threat actors use residential proxies to facilitate illicit activities, while obfuscating their true identities and locations by routing internet traffic through home and small business internet networks.

What is a Residential Proxy?

A residential proxy is an intermediary server between individuals and websites they visit to make their connections appear to originate elsewhere. Legitimate IP addresses assigned by an Internet Service Provider (ISP) to consumers' Internet of Things (IoT)1 devices, such as TV streaming devices, digital picture frames, smartphones, tablets, and routers are used to route traffic. Once an internet-connected device is compromised, the device's IP address can be used by threat actors to mask their online illegal activity, making the consumer appear responsible.

Understanding How Residential Proxies Work

A residential proxy is used to route users’ requests through another IoT device, typically located elsewhere in the world. When selecting an IP address, users can choose which country they would like the IP address from, down to the city and state. Doing so alters the users' IP address from the perspective of the website to that of the device the traffic was routed through.

How Your Device Can Become Part of a Residential Proxy Network

Many individuals do not realize their internet connection could be used by someone else without their permission. Residential proxies obtain residential IP addresses from devices in two ways: The owner of the device provides consent, or the owner of the device does not provide consent and is unaware their IP address is being used.

The following methods can be used to acquire residential IP addresses for a residential proxy network:

  • Software Development Kit (SDK)2 Partnerships: Proxy services convince mobile application developers to include their SDK in applications in exchange for payment for each person who downloads the application. Individuals download the application and accept the terms and conditions, allowing the SDKs to run in the background and route proxy traffic through users' devices.
  • Virtual Private Network (VPNs)3 with Hidden Terms of Service: Free VPN services may enroll users' devices in a residential proxy network, without obtaining their consent. The details are often hidden in the terms of service, which most users do not read prior to download, or the language is difficult for the user to understand.
  • Compromised IoT Devices: Criminals gain unauthorized access to home networks through compromised IoT devices, such as TV streaming devices, digital projectors or picture frames, aftermarket vehicle infotainment systems, and other products connected to the internet. Criminals configure the device with malicious software prior to it being purchased or infect the device with a backdoor4 while it downloads required applications.
  • Malware: Free online video game content, free sports/tv shows/movies, free software that normally costs money, and torrented content5 can all contain malware that makes a device part of a residential proxy network.
  • Passive Income Schemes: Proxy services convince people to download applications on their device that promise to pay them for their internet bandwidth. People often do not realize that criminals use their internet connection to commit cyber attacks

How Criminal Actors Use Residential Proxies

Residential proxies are a standard tool criminals use to look like ordinary users online and can be used for the following purposes:

  • Malware Distribution and Command and Control (C2) Obfuscation: Residential proxies serve as an intermediary between C2 servers and compromised devices, obfuscating the true location of the threat actor.
  • Phishing and Identity Theft: Residential proxies can be used to host phishing infrastructure or login to accounts using stolen credentials without triggering geolocation-based alerts.
  • Spam and Fake Account Creation: Residential proxies are used to create fake social media, e-commerce, and email accounts.
  • Data Exfiltration: Threat actors use residential proxies to smuggle data out of compromised networks, making tracing more difficult.
  • Brute Force Attacks: Residential proxies allow cyber attackers to rapidly rotate between a large number of IPs, bypassing rate limits and lockout mechanisms.
  • Bypass Content Restrictions: Attackers use residential proxies to misrepresent their locations, allowing access to restricted content and services locked by regions.
  • Host Illicit Marketplaces and Forums: Criminal platform administrators use residential proxies to mask their locations and evade law enforcement.
  • Identity and Location Obfuscation: Offenders use residential proxies to make it difficult to locate and identify them. If a residential proxy is used, the IP address associated with the criminal activity will not be linked to the offender.
  • Making Illegal Purchases: Residential proxies can be used to login to and make purchases and downloads from illicit marketplaces and forums.
  • Bypass Purchase Restrictions: Criminals use residential proxy platforms to bypass limiters to purchase content en masse to resell at a higher cost, such as concert tickets, new sneakers, and new collectible items like trading cards.
  • Account Takeovers: If a victim's bank account credentials are leaked on the dark web, criminals could obtain a residential proxy IP address in the same city as the victim and login to the compromised bank account. The victim's bank is less likely to flag the activity as suspicious.

Tips to Protect Yourself

The FBI recommends individuals take the following precautions to protect themselves from becoming part of a residential proxy network:

  • Avoid TV streaming devices that claim to provide free sports, TV shows, and movies, as they may contain malware or backdoors that hijack your internet network and can lead to identity theft or other cyber crimes.
  • Exercise caution before downloading free VPN applications, and do not click on pop-up ads from untrusted websites, as they can initiate malware installation on your device.
  • Do not download pirated software, such as video games and movies, which often include hidden malware that turns your device into a proxy.
  • Use official, trusted application stores. Only trust applications from well-known and reputable publishers. Unofficial application stores may contain applications that will install backdoors into your device or are otherwise malicious. Sideloading unofficial applications on devices like streaming sticks or Android TV boxes increases the chances of installing malicious software.
  • Keep all operating systems, software, and firmware up to date, and prioritize patching firewall vulnerabilities and known exploited vulnerabilities in internet-facing systems. Timely patching is one of the most efficient and cost-effective steps to minimize exposure to cybersecurity threats.
  • Some malicious internet-connected devices come from the factory with malware installed. These devices may contain malware even if a "factory reset" is performed. Malicious software often stays on the device even if you uninstall the app or software that was the initial vector. Antivirus software may be able to sanitize your device. If not, reinstalling the operating system on your device may be required to get rid of any malware.
  • Ignore suspicious emails and do not click on suspicious links. Phishing emails are a technique used by cyber criminals to infiltrate a device.
  • Maintain awareness and monitor internet traffic of home networks. Assess all IoT devices connected to home networks for suspicious activity.

The FBI recommends businesses take the following precautions to protect themselves from becoming part of a residential proxy network:

  • Keep software and operating systems up to date. Installing updates as they become available can help protect your devices from being infected.
  • Enforce strong device policies to prevent unauthorized devices from joining your business network.
  • Utilize network segmentation. Separate your network into segments to isolate sensitive data and systems from general traffic.
  • Implement firewall rules to prevent unauthorized applications and services from communicating over your network.
  • Block IP addresses that are known to be associated with residential proxy networks.

Victim Reporting

If you suspect you are a victim of a residential proxy service or your personal information has been compromised:

  • File a complaint with the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and designated point of contact.
  • Contact your account provider immediately to regain control of your accounts. Change your passwords, and place alerts on your accounts for suspicious login attempts or transactions.

Disclaimer

The information in this report is being provided "as is" for informational purposes only. FBI does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI.