Guest Column | May 1, 2023

Why Residential IP Proxy Networks Should Be On Every MSP's Radar

By Jonathan Tomek, Digital Element


There’s a growing threat that should be on the radar of all managed services providers: Residential IP proxy networks. These networks allow players to send traffic to websites that look and feel legitimate, meaning it has residential IPs located in cities, regions, and countries that make sense to the website owner. In reality, this traffic can very well be a bot in disguise.

Residential IP proxy networks have been around for a while, publicly offering web scraping services to interested parties. They offer ISP-assigned residential IP addresses that are attached to physical locations all over the world. What’s changing is both the number and the size of the network are growing exponentially. Some proxy networks claim to have access to hundreds of thousands of residential IP addresses available to anyone willing to pay.

Passive Pocket Money For Consumers

Consumers play an important role in residential IP proxy networks in that they willingly offer up their internet-connected devices in exchange for earning passive income. To get paid, consumers install an app --, Honeygain, Peer2profit, and PacketStream to name a few -- that allows the proxy network to “share” the user’s bandwidth.

These apps inform consumers that their internet will be shared, and some, such as Honeygain, verify the use cases of their clients. Others, such as 911 S5, offer free VPN services to consumers and harvest their IP addresses with their consent.

Consumers are left in the dark as to who uses their IP address, and to what end. They are just left to trust the service. Some of the apps promise that the consumer’s data will only be sold to “credible” companies that use it for verified use cases, such as competitive analysis.

But we also know that residential proxies have been used in a range of crimes, including ad fraud and DDoS attacks. This past summer, the FBI seized the website and shut down a botnet that relied on a residential proxy network to engage in malicious activity.

Legitimate Use Cases

Most of the residential IP proxy networks offer scraping services as a primary use case. These networks promise to help their customers circumvent bot detection of any website they hope to scrape by hiding behind an ISP-assigned residential IP address. Whether or not this use case is legitimate is open to interpretation, of course, especially for MSPs whose clients don’t want their websites scrapped by their competitors.

Ad verification is another use case that is arguably legitimate. Let’s say your client launches a multinational advertising campaign via programmatic exchanges and is keen to ensure that all ads are rendered correctly and are in the correct language. Residential IP proxies can be deployed to view and verify those ads.

Nefarious Use Cases

While residential IP proxies have some positive use cases, they also have several ones likely to make MSPs nervous. For instance, ad fraudsters can easily set up an advertising farm (i.e. a website with nothing but ad units that are sold via open programmatic exchanges). Rather than create malware to infect user devices to generate clicks on those ads, fraudsters can now purchase traffic from a network, send it to their websites, and earn a lot of commission. As long as what the fraudsters pay for the proxied traffic is less than what they earn in CPC commissions, they’re in the black.

And then there’s a host of bread-and-butter security concerns, such as circumventing an organization’s web application firewalls (WAFs) or content delivery networks (CDNs). These technologies are deployed to monitor, filter and block malicious HTTP/S traffic from reaching a client’s web applications and content by assessing the context around IP addresses. If an MSP’s clients allow only residential IP traffic to reach their websites, or want all traffic from specific regions of the world blocked, residential IP proxies represent a significant blind spot.

One of the bigger use cases is to look like organic users and register for new accounts. These accounts sit idle until needed for an event, such as a premier music ticket sale. When activated, these accounts look like individual users simply waiting in line to purchase online tickets. Only sometimes they’re not real fans, they are botnets, as was the case with the Taylor Swift concert tour debacle. One botnet can consume all of the valid tickets, leaving all of the other fans out of luck.

Protecting Your Clients Going Forward

Going forward, MSPs will need to devise strategies for distinguishing between real and proxied residential IP addresses. This, in turn, will require access to more contextual data, such as the activity level and stability of the IP address itself. For example, if the IP address has been tied to a specific location for several weeks, it is less likely to be proxied. This contextual intelligence will enable MSPs to better protect their clients against unauthorized scrapping, DDoS attacks, and network break-ins. On the flip side, if the IP address is a mobile phone and has not moved at all, this is a warning that it could be a mobile proxy farm.

As inflation continues to take a bite out of the consumer’s monthly budget, we can expect more of them to share their internet with residential IP proxy networks. For many, the $75 to $125 they earn each month is a temptation they can’t resist, and with little understanding of the risks they face, many are willingly sharing their internet service across all of their household devices. For MSPs, this development requires heightened vigilance to ensure that only legitimate traffic can access their client’s network.

About The Author

Jonathan Tomek, VP of Research and Development for Digital Element, is a seasoned threat intelligence researcher with a background in network forensics, incident handling, malware analysis, and many other technology skills.

Jonathan served in the United States Marine Corps. He worked at multiple threat intelligence companies and built their threat capabilities to include identifying tactics, techniques, and procedures of malicious actors. He led several technical cybercrime and espionage teams in their initiative to enhance technical efficiency in malware analysis, malicious actor tracking, and tool development.