Security tools use a variety of data to determine if a computer and the person using it may be doing something malicious. One of the significant signals is a machine’s IP address, which is assigned by a hosting provider. Most wise people don’t use their home internet connections for illegal activity. This has made them appealing for illegitimate uses. There’s a thriving market for proxy services based on residential IPs. These proxies can originate from a variety of devices within a residential setting, such as desktop computers, laptops, smartphones and even Internet-of-Things (IoT) devices. This isn’t to assert that the market for residential proxies is entirely illegitimate. However, there have been questions over how some residential proxy providers secure their access, which have ranged from pay-per-install schemes to software development kits (SDKs) where the proxy capability is within another application or utility, as well as their target customers.
For fraudsters, blending in with regular internet traffic using residential IPs offers a reduced risk of detection and blocking by websites. Security administrators often block certain types of IP addresses outright, such as if an IP address is associated with a known bulletproof hosting (BPH) provider. BPH is an underground service for cybercrime where the hosting provider generally will not take action if it receives abuse or law enforcement complaints, thus allowing for illegal activity such as phishing, brute-force attacks, spam and more. Another type of proxy that is frequently blocked are virtual private network (VPN) services. While VPNs have legitimate uses and some privacy benefits, these proxy services are often used to obscure the true location of a computer and mask suspicious activity.
Blocking complicates efforts for fraudsters, but residential proxies are less likely to be blocked. Many e-commerce systems and card processors would outright block, say, a payment card transaction initiated by a computer with an IP address in Europe if the cardholder is located in the U.S. However, by conducting a transaction with an IP address that is geographically close to the payment card’s address on file, there’s a greater chance a transaction will go through. In this piece, we will discuss how these services are procured and offered and provide insight into two residential proxy providers that are clearly aimed at the cybercriminal underground.
Residential proxy providers offer subscription services. The providers have access to a vast pool of IP addresses assigned to residential internet users by internet service providers (ISPs) and oversee a network of devices equipped with real residential IP addresses. Once a subscription is purchased, users send a request to the proxy server to access a specific website or service. The proxy server receives this request and selects one of the residential IP addresses in its pool to forward it. This step effectively masks the original IP address of the user. The request then travels from the chosen residential IP address to the target website or server. To the target website, it appears as though the request originates from a legitimate residential user at the associated address of the IP. The website then processes the request and sends back the required data, which is received first by the residential IP address and then relayed by the proxy server back to the original user.
[Image: Fig1 - This image depicts a graphical representation of how residential proxies work.]
Types of Residential Proxies
Residential proxies can be classified into several types based on their functionality, usage and connection management strategies:
Rotating: Automatically rotate IP addresses at predetermined intervals or with each new request. Ideal for tasks that require high levels of anonymity and a minimal risk of blacklisting.
Static: Assign a single IP address that remains consistent over time, which ensures a stable online presence for activity where changing IP addresses could lead to complications.
Shared: Used by multiple users simultaneously. They tend to be cheaper, but could lead to IP address blacklisting if co-users engage in malicious actions.
Dedicated: Allocated exclusively to one user and provide the best performance and the lowest risk of blacklisting, and ensure no other user’s activity can affect the proxy’s reliability or security.
The provision of such high quantities of residential IP addresses is no mean feat, and residential proxy providers must rely on a multitude of methods to acquire their proxy networks, which include:
1. SDK partnerships: Some proxy providers collaborate with application developers to embed their proxyware within SDKs. Users who download and install these applications may knowingly or unknowingly agree to share their IP address with the proxy network and receive free features in return.
2. ISP partnerships: Proxy providers may form agreements with ISPs to lease residential IP addresses. This method is more transparent and often involves clear contracts that outline how the IP addresses will be used, thus maintaining legitimacy.
3. “Earn on your internet”: This approach invites users to voluntarily install proxyware on their devices and effectively turns them into nodes for residential proxy networks. In exchange for the use of their bandwidth, companies offer compensation in the form of small direct payments. While this arrangement is consensual, these programs often do not fully disclose the extent of data usage on the user's device. Notable examples of such platforms include EarnApp at earnapp.com, Honeygain at honeygain.com and Pawns at pawns.app, which are prominent in this space.
4. Free VPN services: Free VPN services might enroll users' devices in a residential proxy network without explicit consent, which allows the VPN to monetize the user's connection to offset the cost of the free service. The details typically are hidden in the terms of service.
5. Compromised devices: In less ethical scenarios, some networks use IP addresses from devices compromised by proxyware, which converts them into proxy nodes without the owner's knowledge or consent. Despite the fact that the methods are known, most proxy service providers do not specify on their websites exactly how they access tens of millions of IP addresses.
Given the vast expanse of the internet, major online services often choose to tailor content based on geographic region and sometimes exclude entire countries or continents. This filtering also can extend to personalizing content for individual users. Residential proxies provide a means to circumvent these restrictions and are used for a multitude of purposes by both legitimate users and threat actors. Activity conducted using residential proxies includes:
Uses by Potentially Legitimate Users
Web scraping and data collection: Facilitate legitimate web scraping and data collection essential for market research and data analysis.
Digital marketing: Tailor and optimize advertising displays and search engine optimization (SEO) strategies across different regions.
Ad verification: Check ad display accuracy and combat ad fraud across different geographic locations.
Social media management: Avoid limitations or bans associated with managing multiple accounts from a single IP address.
Goods purchasing: Acquire limited-edition or high-demand items, such as event tickets, exclusive sneakers and other collectibles.
Uses by Threat Actors
Credential-stuffing and brute-force attacks: Disguise locations during automated login attempts to help evade detection.
Legitimate credential misuse: Use stolen credentials without triggering suspicious login alerts, thus maintaining access to compromised accounts for extended periods.
Click fraud: Simulate legitimate traffic from a variety of geographic locations, artificially inflating traffic data and draining advertising budgets through deceptive clicks.
DDoS attacks: Obscure the source of distributed denial-of-service (DDoS) traffic, making attacks appear as if they are coming from multiple legitimate users and complicating mitigation efforts.
Phishing and spamming: Send phishing emails and spam from IP addresses that appear trustworthy, reducing the likelihood of detection and IP-based blacklisting.
Malware distribution: Distribute malware while obscuring digital footprints, which increases the chances of successful infections and complicates efforts to trace the source.
Applicable to Both Groups
Anonymity and evasion: Offer anonymity crucial for protecting privacy, especially for vulnerable individuals. Conversely, proxies also facilitate threat actors in evading law enforcement and regulatory oversight.
Bypassing geographical restrictions: Commonly employed to access media services not available in certain regions and can be misused to circumvent terms of service or legal restrictions.
While residential IP address service providers have legitimate applications, they also are extensively misused by cyber threat actors. In fact, the employment of residential proxies — akin to other services such as malware crypting — has become an integral part of numerous malicious operations, including DDoS attacks, cyber espionage and financially motivated malware campaigns. These proxies typically are used to obscure the final mile of a threat actor’s traffic before it interacts with or accesses a victim’s environment.
We observed numerous services promoting residential proxies in our database. Most advertisements appeared on low-tier forums such as Black Hat World or Nulled, with the exception of the XSS forum, which is regarded as a high-tier hacking and cybersecurity forum. The advertisements typically detail the service offer and emphasize aspects such as the size of the IP address pool, coverage across multiple countries, pricing and contact details. Most proxy providers operate their own websites. Additionally, similar to most of their legitimate counterparts, sellers on underground platforms typically do not reveal the sources of their IP address pools. Those purchasing from underground services rarely question the origin and focus more on the utility of the services. Two notable underground proxy services we profiled in 2024 include MangoProxy and LunaProxy.
MangoProxy
The actor MangoProxy aka MangoProxyy, Mangoteam introduced the MangoProxy service at mangoproxy.com in February 2023. The service has been actively promoted across several underground forums, including Antichat, Black Hat World, XSS and Zelenka. The website’s homepage offers general information about the service and serves as the authorization page for users.
[Image: Fig2 - This image depicts a screenshot of the MangoProxy service’s main page Jan. 25, 2024.]
MangoProxy offers residential proxies with options for Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS) and socket secure internet protocol (SOCKS) proxies, boasting a total of 90 million proxies accessible in more than 220 countries. After users register and log in, the website presents a navigation menu that includes tabs for “Billing,” “Generator,” “Home,” “Services,” "Transactions” and “Whitelist.” Subscription plans vary from a pay-as-you-go option for US $8 per GB to a “Corporate” plan for US $2,989 per month, which offers 1,000 Gbps of traffic bandwidth. The payment platform supports multiple forms of cryptocurrency and traditional payment cards and uses one-time generated wallet addresses to process transactions.
[Image: Fig3 - This image depicts a screenshot of the MangoProxy service’s “Checkout” tab Jan. 25, 2024.]
The “Services” tab discloses potential partnerships with the cost-per-action (CPA) network AFFSTAR and a Google Ads service. The “Privacy Policy” tab lists the service’s legal entity as Sequoia Advertising L.L.C-FZ in the United Arab Emirates (UAE). We also identified three Telegram groups related to MangoProxy with more than 1,600 group members. We identified three individuals who publicly associated themselves with MangoProxy, which may suggest they may not be fully aware of the complexities or finer details of MangoProxy's operations or the potential implications of their activity within the broader context of internet security and cyber law.
LunaProxy
The actor panghuhu has promoted the LunaProxy service on the XSS forum since 2022. The service allegedly offers more than 200 million residential proxies across 195 countries. The user interface of the website is available in eight languages and includes sections such as “Affiliate Program,” “Enterprise Exclusive,” “Pricing,” “Proxies,” “Resource,” “SDK,” “Solutions,” “S5 Proxy” and “Use settings.” Similar to Bright Data, LunaProxy offers a SDK that allows integration into online applications for additional income. Insight into a client account shows multiple management options and order statistics were available.
[Image: Fig4 - This image depicts a screenshot of an account dashboard on the lunaproxy.com website on June 2, 2024.]
LunaProxy accepts payment options including payment cards, bank transfers and cryptocurrency. The service's global transfer bank information listed HSBC Hong Kong as the beneficiary bank, with Mars Brothers Ltd. named as the beneficiary account. Additionally, the website’s “Privacy Policy and Terms of Service” listed the alleged legal entity Rome Belden Ltd. as operating the LunaProxy service. This entity also was linked to another proxy service provider — PiaProxy aka PIA S5 Proxy. We uncovered several associations between these proxy services, which included:
The PIA S5 Proxy service claims to offer access to more than 350 million “ethical” residential proxies — the largest amount of all services we observed.
[Image: Fig5 - This image depicts a screenshot of the PIA S5 Proxy service’s main page Aug. 30, 2024.]
Further exploration into the connections between these proxy services revealed LunaProxy and PIA S5 Proxy were advertised by Global Integrated Marketing Communication Group Holdings Ltd. based in Hong Kong. This organization also promoted additional proxy services, including 922 S5 Proxy, ABC S5 Proxy, IP2World proxy and PyProxy. According to research published by Sekoia in March 2024, 922 S5 Proxy, ABC S5 Proxy and PIA S5 Proxy listed the same Ethereum (ETH) wallet address on their respective websites. Furthermore, Rome Belden Ltd., registered in Hong Kong in March 2023, was indicated as the legal entity behind PyProxy, as it was for LunaProxy. These findings suggest these services may be interconnected — further adding complexity to the proxy service landscape.
Residential proxies are increasingly pivotal in today’s digital landscape and are marked by growing demand. They offer anonymity and access to geographically restricted content and provide significant utility in data scraping and market research. While businesses and individuals benefit from these capabilities, the sourcing and legality of the proxies often invite scrutiny and raise substantial ethical and legal questions.
Further exploration into residential proxy providers operating in less regulated or underground markets, such as MangoProxy and LunaProxy, reveals even more concerning practices. These providers manage extensive IP address pools without proper verification processes and fail to provide clarity on the origins of their IP addresses. This lack of transparency implies a potential disregard for the ethical implications of their operations, which may include unauthorized use of IP addresses and exploitation by threat actors who can readily access these services. Moreover, the interconnectedness among providers suggests these services may be working together or belong to the same entity. Therefore, even if users consent to their IP address being used by one company, there is no guarantee their information will not be shared with another provider that lacks robust verification policies. It is crucial for businesses contemplating the use of residential proxies to conduct thorough due diligence. This should include scrutinizing individual proxy providers and investigating their connections to other services to fully understand the potential risks and ethical considerations.
Users should be aware of the risks around downloading apps where their internet connection is shared. In some circumstances, this condition may be clear, such as some applications offering a free VPN in exchange for use of spare bandwidth. However, it is important to consider that if a connection is used for criminal behavior on the internet, it means a person’s residential ISP account will be linked to that activity. To be sure, law enforcement would eventually unravel a hapless situation where an IP address has been abused for fraud and that the person who holds the account is not the threat actor. But this should serve as a reminder that if an app is “free” — in the context of residential proxies — your internet connection is their product.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Pro-Russian hacktivism campaigns continued to be directed at countries and entities supporting Ukraine. Here's a briefing about new hacktivist groups and the risks the groups pose.
The leader of the Black Basta ransomware group employed a trusted, experienced cybercrime actor nicknamed Tinker who he relied on for phishing content, call center management and negotiation skills.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.