Japan’s Trend Micro today warned customers to ditch the widely used HolaVPN software, as traffic to its “super nodes” is unencrypted and it is effectively turning their machines into a large residential botnet rife for exploitation by fraudsters.
HolaVPN is marketed as a community Virtual Private Network (VPN): Its 8.3 million internet users are told they can help each other to access websites freely and without censorship by sharing their internet connections.
But the software also turns their machines into exit nodes. And Hola then sells the bandwidth of these users via its sister company Luminati, where prices start from $500 up to $100,000 per month.
Yet the average user of HolaVPN will have “no idea what kind of traffic Luminati is pumping through the user’s internet connection” Trend Micro noted, saying it is blacklisting the software.
HolaVPN Traffic Routed Through 1,000 Exit Nodes in Data Centres
Users of HolaVPN also don’t really share their internet connections with each other, however; instead, their web traffic is routed through a list of about a thousand exit nodes hosted in data centers, Trend Micro researchers found [pdf].
This is at odds with comments by the company’s founder in the past: “We can provide [Hola] for free since each user is also an exit node for other users,” Ofer Vilenski, Hola’s co-founder has previously claimed.
The free VPN is not even effectively private, Trend Micro found: “Users’ IP addresses are regularly exposed to the websites they visit.”
Meanwhile: “Each computing device with free HolaVPN version installed is turned into an exit node that is monetized by a commercial service called Luminati”.
HolaVPN describes Luminati as its “business SaaS” that has “disrupted the way businesses conduct brand monitoring… self test (checking how their corporate site looks from multiple countries), anti ad fraud, etc.”
“The Vast Majority of all Luminati Traffic is Likely Related to Fraud”
But Trend Micro said: “The detailed breakdown of Luminati traffic shows that the vast majority of all Luminati traffic is likely related to fraud with mobile advertisements and traffic from mobile apps.”
Its researchers added: “We found concrete evidence for massive scraping of online content. This scraping often violates the terms and conditions of the target websites and may be illegal in some jurisdictions. We also have shown that hackers have found their way to Luminati.”
Trend Micro used a dataset of more than 100 million URLs that were sent through about 7,000 exit nodes to conduct the research.
85 Percent of Traffic Used to Drive Ad Clicks
“We found more than 85 percent of all Luminati traffic in our dataset was directed to mobile advertisements, mobile app domains and affiliate programs that pay for referrals and installation of apps.”
“Millions of clicks on advertisements and advertisement impressions are loaded via Luminati each day — a potentially very profitable business. The market of mobile advertisements is huge and growing rapidly, and fraudsters will try to get their share of the revenue,” Trend Micro noted.
As the exit nodes may be in locations such as universities, where free access is available to academic subscriptions, Trend Micro found that the network of exit nodes created by HolaVPN users was being used to scrape online content.
Scraping Content
“We also found that a substantial part of the Luminati traffic was related to the scraping of online content such as subscription-based scientific magazines, private contact details of physicians and attorneys, data on inmates, court documents in the U.S. and China, credit information, and even the Interpol’s most wanted list.”
Trend Micro added: “Airline reservation systems and websites that sell concert tickets were being accessed frequently via Luminati as well. Boarding passes, online check-in portals and Passenger Name Records (PNR) were accessed via Luminati in significant numbers. Limited edition sports shoes and other popular but hard-to-get items were bought by scripts using Luminati. To evade botnet detection, some users of Luminati are likely using captcha solving services offered by sweatshops.
Trend Micro has urged any customers using the service to uninstall it, describing it as “high risk” and says it will detect it as unwanted software.
HolaVPN hit back: a spokesman told Computer Business Review: “The Trend Micro report is a sensational, irresponsible report, falsely suggesting that all VPN users want to hide their identity, and that the Luminati network is anything other than a fully legitimate transparency network.”
He added: “Hola is a Free unblocker which is used for seeing any content from any location. It is not a privacy VPN and does not purport to be so. The Hola premium VPN is a full VPN whose users pay a subscription and are not part of the peer network. However, most consumers choose to opt for the Free VPN version that provides the ability to unblock sites (not to hide the IP or encrypt) and in return they provide their idle resources to Hola’s monetization partner Luminati.”
“Luminati is a valuable service used by fortune 500 customers and thousands of enterprises for price comparison, travel, and other legitimate uses which ultimately are the foundations of a free market. We are appalled that Trend Micro would publish such a tarnishing report without fact checking with its subjects first. This is further proof of sensationalism, and using our brand for the benefit of public relations for the Trend Micro brand.”