Residential IP proxy networks are popping up everywhere and undoubtedly provide useful services for many businesses.
Still, some wonder if nefarious players are leveraging them to commit ad fraud (the answer is yes, according to multiple sources, but more on that later).
If you have yet to hear of a residential proxy IP network, I encourage you to Google them and start reading. Some networks claim to have millions of residential IP addresses for rent. These IP addresses are global, with some networks boasting nearly 200 locations, all of which can be used to get around the restrictions applied to content and websites.
What is a Residential IP Proxy Network
A residential IP proxy network is a network that pays consumers to share their Internet. The network then re-sells those consumers’ residential IP addresses to its customers — companies or users who want, for whatever reason, to appear as if they’re residential IPs within a specific region.
To get their pool of residential IP addresses, apps like Honeygain, Earn.app, Pawns.app, and many others pay home users to share their Internet traffic. These users install a proxy network app on their smartphones or computers and forget about it until the money rolls in. These payments are small (ranging from $.20 per GB per shared data to $75 per month. Still, if users are looking for pocket money, residential IP proxy networks promise to pay them for doing nothing.
Some networks emphasize that their residential IP addresses are “ethically sourced,” meaning the consumer is told quite clearly that sharing their Internet means someone else will use their IP address to access sites. Consumers don’t know who will use their IP addresses and for what purpose. Many promise consumers that networks will only use IP addresses for approved use cases, but they need to go into more detail on what that actually means.
As Brian Krebs explains in his security blog, other residential IP networks, such as 911 S5, get their IP addresses by offering free VPN services to users and use them without telling them.
Residential Proxy IP Use Cases
It’s hard to know how many residential proxy IP networks are out there. Jonathan Tomek, VP of Research and Development at Digital Envoy, believes there are thousands. Millions of people must want to rent residential IP addresses if that’s the case. What are their use cases?
In researching this article, I read the websites of a dozen or so providers. Web scraping is a key use case for all of them, and they offer particular services, such as the ability to scrape product data from the world’s largest online retailers. If you want to outwit bot detection for price comparison or competitive analysis purposes, a residential IP proxy network is the tool for you.
Several residential IP proxy networks say their services are best fit to promote ad verification. Suppose a multinational brand launches a campaign in six languages across five regions. In that case, it can deploy Residential IP proxies to view each ad in each region to verify that ads appeared as expected.
The worrisome issue with residential proxy networks is that they’re tools, and tools are deployed for legitimate or nefarious purposes. Multiple industry experts say ad fraud is common, as identifying residential IP proxies can be tricky.
“Unlike datacenter proxies, which typically are easily identified in the industry, residential proxies seem much harder to block. Thus, they are sometimes favored by scheme operators who seek to bypass detection and restrictions,” explained Gilit Saporta, Director of Fraud Analytics at DoubleVerify.
These networks are actively deployed in various fraudulent schemes, including ad fraud. This past summer, the FBI seized the website Rsock.net and disrupted a botnet that, according to the DoJ, hijacked millions of computers to “convert residential computers into proxy servers, allowing the botnet’s customers to use them for malicious activity or to appear as coming from a residential IP address.”
In 2019, security professionals discovered that TheMoon botnet, long known for its DDoS attacks, had switched tactics and targeted YouTube in an ad fraud scheme. That same year, DoubleVerify identified (and stopped) OctoBot, an ad fraud scheme that bilked CTV advertisers out of millions of dollars each month. DoubleVerify’s Saporta said residential IP proxies played a role in that scheme.
In 2018, cybersecurity experts and Federal investigators discovered that 1.7 million IP addresses were hacked and deployed to view up to 12 billion digital ads daily.
Rich Kahn, the founder of Anura.io, sees residential IP proxy traffic used in ad fraud on a daily basis. “We defend a lot of lead generation companies. We see human fraud firms take advantage of these residential proxy networks to make their IP address appear legit.” He estimates that one in four leads that stem from advertising is fraudulent, of which some, but not all, are residential IP proxies.
“I just reviewed a campaign with a client in which we marked a series of fraudulent transactions that came through their network. All of those transactions came from residential cable modems, which is a strong indication of a residential IP proxy network,” said Kahn.
Zach Edwards of HUMAN agrees. “This is an extremely common way to commit ad fraud, and we’ve written about residential proxy usage for ad fraud within our Terracotta investigation. HUMAN does not have public numbers to share about real residential proxy usage, but we actively monitor proxy networks.”
Residential Proxy IP Networks Makes Life Easier for Fraudsters
According to some security professionals, residential IP proxy networks add a lot of efficiencies to their criminal operations and let them hide from law enforcement and blockers.
Today nefarious players don’t need to bother hacking devices and hijacking residential IPs; they can just rent all the proxies they need from a network. It’s affordable too. When investigating RSock.net, the DoJ noted it costs just $200 per day for 90,000 proxies. This makes ad fraud schemes profitable as long as the fraudster earns more in CPC commissions than they pay for the proxies.
Of course, a handful of hits to an ad from the same IP address will raise red flags. Still, with hundreds of thousands (or even a million) of residential IP addresses available from just one network, getting around those security checks is easy. BlackProxies, a residential proxy network that claims to have a million “real” IPs in its network, offers “blazing fast rotating residential proxies.”
Another convenience: fraudsters no longer need to set up a farm of thousands of cell phones to view ads; they only need to pay $200 or so to a network with 90,000 residential IP addresses.
So are fraudsters abandoning the traditional click farms in favor of residential proxy IP networks? Digital Element’s Tomek, who worked on the 3ve investigation (a botnet involved in a massive ad fraud scheme that HUMAN led in taking down) is convinced they are, although he admits that it’s difficult to pinpoint the exact amount as this traffic looks like organic residential users to ad verification tools.
Detecting Residential IP Proxies
It’s possible to detect when fraudsters use residential IP proxies to view and click on ads, and all of the people interviewed for this article say their companies offer detection services. Methodologies vary from company to company.
“We go down to the user level to identify what’s happening. Is there anything more than just bouncing off that IP address? Fraudsters need to do a certain amount of automation and other things that we can detect. That’s how we catch them,” explained Kahn of Anura.io.
Detecting residential IP proxies is an art. For instance, DoubleVerify can detect them and other masked IPs by combining network telemetry with traffic analysis. DV taps into its extensive experience in classifying and detecting the diverse scenarios of valid and invalid browsing to succeed.
Edwards of HUMAN Security advises advertisers to weigh new ad channels and buying opportunities carefully and avoid ad traffic if residential proxies can’t be segmented for analysis. “If you are unable to change the channels/apps/websites you’re buying on while seeing similar impacts in the residential proxy usage stats, there could be a residential proxy bot adversary targeting a wide swath of inventory across that network, which can end up inflating costs for all campaigns on that network,” he said.
A Complicated Future
Edwards warns that new developments will complicate the detection of residential IP proxies. For instance, privacy changes, such as Apple’s iCloud Private Relay technology, will mean millions of legitimate consumers will use new traffic-sharing technology. Consequently, the digital ad tech industry should expect to see more and more residential proxies and pooled IP addresses in ad traffic in the future.
Note: Digital Element is a client of Susie Stulz.