How Cybercriminals can use Your Devices to Commit Crime

Cybercriminals are often a hidden threat, lurking in unseen corners of the internet. 

One tactic that allows them to keep their real identities concealed when engaging in nefarious activities is the use of residential proxies.  

Residential proxies recently bubbled up into focus after the Federal Bureau of Investigation (FBI) issued a public service announcement to raise awareness about the dangers they pose and steps the public can take to protect their devices. 

Cybercriminals use these proxies to hide their true identities and locations by routing traffic through home and small business networks, making their illicit online activity appear more legitimate.

“Residential proxies continue to be exploited by bad actors for everything from large‑scale fraud to powering DDoS attacks,” writes Noopur Davis, CISO at Comcast on her LinkedIn. 

“This is no longer a niche problem – it’s a growing threat to consumers, networks and the broader internet ecosystem.”

What are residential proxies?

A residential proxy – also called a ResProxy – is a software that is designed to route other people's internet traffic through a user's device.

The FBI says: “A residential proxy is an intermediary server between individuals and websites they visit to make their connections appear to originate elsewhere.”

Comcast Threat Research Labs further explains: “ResProxies are like forged return addresses on envelopes – someone else’s internet traffic is rerouted through your connection. 

“It’s as if someone mailed a letter using your address without your knowledge and the digital location of the original sender’s connection is masked and untraceable.”

To make things complicated, it is designed to leave no trace of its activities as they quietly launder illegitimate activity “making the outside world believe your device is the initiator of that traffic”.

Legitimate IP addresses assigned by Internet Service Providers to consumer devices such as streaming TVs, smartphones, tablets, routers and other IoT devices can be used for this. 

Once compromised, regular user devices allow threat actors to mask illegal activity, making it appear as though the user is responsible, effectively concealing the attacker’s identity and location.

How criminals exploit devices

Residential proxies are sometimes acquired through malware, free virtual private networks (VPNs) with hidden terms of service or applications promising passive income. 

These are the hidden threats behind some seemingly benign offers to “earn beer money” or “get paid to share your internet.”

Once enrolled in a network, devices become part of a system used for phishing, identity theft, fake account creation, ad fraud, brute force attacks and bypassing geographic content restrictions. 

This compromised group of endpoints – which Comcast researchers have termed as "herds" – are a layered network of infected devices that allows cybercriminals to operate anonymously and evade detection.

Each herd can consist of tens of thousands of compromised endpoints – in some unfortunate cases it can exceed hundreds of thousands.

Criminals then pay resellers to buy access to IPs in the herd. The earning from these sales are deployed by the herd operators – referred by researchers as wranglers – to maintain infrastructure, further recruit new devices and advertise their inventory to resellers, creating a whole dark ecosystem. 

How to protect devices against ResProxies?

The FBI advises exercising caution with free streaming devices, VPNs, pirated software and unofficial apps. 

The agency warns users to only download applications from trusted sources and while keeping all software, firmware and operating systems up to date. 

Organisations are advised to “enforce strong device policies to prevent unauthorised devices from joining your business network”.

Staying proactive helps and by regularly monitoring network traffic and using antivirus or security solutions capable of detecting suspicious activity, users can stay ahead.

Being vigilant can prevent devices from becoming unintentional participants in a residential proxy network.

“The ResProxy issue is spread across homes, businesses, data centres, device types, applications and geography,” notes David W, Vice President, Global Security Engineering and Analytics at ComCast on his LinkedIn.

In this reality, tracking and dismantling cyber operations could prove to be much more complicated, as David says: “Imagining a glorious one day take down in the future is looking more and more unrealistic.”