Researchers have warned that a free VPN service downloaded millions of times is failing to mask the digital footprints of users.
Virtual Private Networks (VPNs) are used to disguise Internet traffic. A valued tool for individuals living in countries with active censorship, activists, and journalists worldwide, these services are proving even more valuable of late as governments introduce surveillance bills which give them the right to snoop on our online activities.
However, a new report suggests that one of the most popular VPNs available today is not doing enough to protect user privacy or security.
The free version is available to the average consumer, while the company offers a paid option for commercial use.
Instead of payment, users contribute what the company calls the "idle resources" of a PC to create a "community powered" peer-to-peer (P2P) network.
"Hola VPN is being marketed as a community VPN: Internet users are told they can help each other to access websites freely and without censorship by sharing their Internet connections," Trend Micro says. "This may sound like a noble initiative, but in reality, the Hola VPN service poses severe risks to the Internet community in a number of ways."
The first issue, which seems incredible considering the times, is that Hola VPN software does not use encryption, according to the team.
When a client using the free software accesses a super node during an active session, there is no encrypted tunnel which protects this communication -- which could allow attackers to intercept this traffic and perform Man-in-The-Middle (MiTM) attacks.
A lack of encryption has also led to the leak of user IP addresses, which could theoretically be used to track down users that are running the software in censorship-driven countries.
When the software is used, should a user open a new tab and type a domain in the browser bar, the web address is accessed directly via the client's true IP address. In turn, this renders the point of the VPN useless.
"This behavior is very different from that of a normal VPN solution where all internet traffic is routed through an encrypted VPN tunnel," the researchers said. "Hola VPN is not a secure VPN solution -- rather, it is an unencrypted web proxy service."
The report suggests that users of the VPN do not really share Internet connections with each other; instead, their traffic is routed through roughly 1,000 exit nodes in data centers.
When you sign up, you agree to potentially become a peer of the Luminati network. These nodes are created through the free Hola VPN software, and in turn, is monetized by Luminati.
"This commercial service, which is also owned by Hola Networks Ltd., is selling the bandwidth of Hola VPN users to third parties by offering a residential proxy network," Trend Micro says. "This has been a known issue since 2015."
Bandwidth offered by users is then sold via Luminati, with prices ranging from $500 to $10,000 per month.
The researchers added that a residential proxy network could have untold value for threat actors who may utilize the network as a botnet for illicit gains and attacks.
To explore this further, Trend Micro analyzed 100 million URLs gained from systems used as exit nodes during 2017 and 2018. Over 85 percent of Luminati traffic was directed to mobile ads, mobile app domains, and affiliate programs which pay for app installations and referrals.
A group known as KlikVip are apparently likely abusing the network to "commit click fraud on a large scale." The ad group has previously been linked to rogueware affiliate programs (.PDF) by Panda Security.
The team also uncovered evidence which suggests the Luminati network is being used to scrape huge amounts of online content, including subscription-based scientific magazines, the private contact details of physicians and attorneys, inmate data, US and Chinese court documents, and credit information.
In addition, airline reservation systems and concert ticket sellers are being accessed frequently by the network, of which has been able to gain access to boarding passes, check-in portals, and Passenger Name Records (PNR).
Speaking to ZDNet, the researchers said they were unaware of any direct links to threat groups which may benefit from data scraping -- such as Magecart -- but said that this kind of information traveling through the network "raises a red flag."
Luminati is also being used to purchase limited edition clothing, potentially making use of captcha solving services in order to avoid botnet detection, according to Trend Micro.
Threat actors have also been detected when accessing company email systems, mobile payment portals, and when attempting to verify leaked web credentials through the network.
"Hola VPN software is not a secure VPN," the researchers say. "Not only is traffic from users' computers to the super nodes not encrypted, the users' IP addresses are regularly exposed to the websites they visit. This makes Hola VPN an unsafe solution to circumvent censorship and interception of internet communications."
Trend Micro will now detect Hola VPN as unwanted software and advises users -- both consumers and the enterprise -- to remove the software from their networks.
Update 15.48 GMT: In a shared statement, Luminati and Hola called the report "irresponsible" for "falsely suggesting that all VPN users want to hide their identity and that the Luminati network is anything other than a fully legitimate transparency network."
"The Hola premium VPN is a full VPN whose users pay a subscription and are not part of the peer network," the companies added. "However, most consumers choose to opt for the Free VPN version that provides the ability to unblock sites (not to hide the IP or encrypt) and in return, they provide their idle resources to Hola's monetization partner Luminati.
Luminati is a valuable service used by fortune 500 customers and thousands of enterprises for price comparison, travel, and other legitimate uses which ultimately are the foundations of a free market. We are appalled that Trend Micro would publish such a tarnishing report without fact checking with its subjects first."