Researchers warn Hola VPN users of weak encryption and IP address leaks

• HolaVPN Software does not use encryption and leaks IP addresses. The free version monetizes its users’ bandwidth to run its sister company Luminati’s proxy network.
• Luminati’s network found to be abused by fraudsters and hackers for illicit activities

Virtual Private Networks or VPNs have become essential for many internet users to access blocked content or to secure their online browsing history from the cyber surveillance conducted on a mass scale by many governments. However, the companies offering VPN services often do not live up to their claims of protecting their users’ privacy.

One of the most popular names in the VPN market is Hola VPN, which is used by over 175 million people globally. Despite being such a popular service, it has been recently found by security researchers at Trend Micro, that it falls short in terms of taking measures to protect their users’ security and privacy.

An unsafe VPN

The security issues of Hola VPN begin with its software which shockingly enough does not use encryption and leaks IP addresses. This itself makes it an unsafe choice for those who want to avoid censorship or surveillance. But the research paper by Trend Micro goes much further to shed light on other issues with HolaVPN.

Hola VPN is available in both free and paid versions. In the free version, its described as a community VPN where users help each other to securely access the internet. However, the so-called community VPN does not seem to do much to serve its users as per Trend Micro’s findings.

Instead of the web traffic being shared between users, it is routed through a list of a thousand exit nodes hosted in data centers. Essentially, each device with the free version of HolaVPN is turned into an exit node that is monetized by a commercial proxy service called Luminati. As it turns out, Luminati and HolaVPN are owned by the same parent company, Hola Networks Ltd.

This essentially means that the parent company uses HolaVPN’s free users’ bandwidth to provide a residential proxy network under Luminati. This has been known since 2015 but there are other issues with this kind of business practice. Earlier, it was not known how the Luminati network was actually used but this latest research has revealed that it is being abused by malicious actors. Keep in mind that such a proxy network with millions of exit nodes, over 32 million according to Luminati’s website, can provide a high degree of anonymity.

Shady activities

Trend Micro analyzed over 100 million URLs recorded as exit nodes of the Luminati proxy network between in 2017 and 2018. The breakdown of Luminati’s traffic revealed that over 85 percent traffic went to mobile advertisements, mobile app domains, and affiliate programs. It is quite evident that its a very profitable business for the company.

With a growing mobile advertisements’ market, fraudsters are also bound to enter the arena. Indeed, the researchers found explicit evidence proving that members of the infamous KlikVip gang are using Luminati to route traffic from their mobile advertisement sites to third-party landing pages. It is likely that these threat actors are abusing the Luminati network to run click fraud campaigns.

Another area of concern pointed by the researchers was that, “...a substantial part of the Luminati traffic was related to the scraping of online content such as subscription-based scientific magazines, private contact details of physicians and attorneys, data on inmates, court documents in the U.S. and China, credit information, and even the Interpol’s most wanted list.”

Other frequently accessed services through Luminati include airline reservation and check-in systems, websites selling concert tickets, and websites selling limited-edition, popular and hard-to-get items. The researchers noted, “...to evade botnet detection, some users of Luminati are likely using captcha solving services offered by sweatshops.”

Hackers abusing the network

Beyond just shady profit-making activities, the researchers found hackers using Luminati for anonymously executing their operations.

“We have collected evidence that hackers have attempted to verify leaked webmail credentials via Luminati and have even tried to access the webmail of companies through the proxy network for an extended time period. Mobile payment systems were accessed via the Luminati network as well,” the researchers pointed out.

The overlap between traffic patterns of the Luminati network and adware-infected computers identified by Trend Micro shows that it is a major security risk for HolaVPN users and internet users in general.

Trend Micro has decided to categorize HolaVPN software as unwanted to warn its customers against the associated security risks and has requested other organizations to follow suit as well.

Conclusion

The lesson is loud and clear. Any internet user must be extra careful before using any free VPN service. If due caution is not exercised, they might end up paying by compromising their own security or enabling threat actors to commit cybercrimes.