The widely used free VPN service Hola exploits its users by selling their bandwidth to online criminals and fraudsters and "poses severe risks to the internet community," security firm Trend Micro (opens in new tab) said in a report.
According to the report, which was posted yesterday (Dec. 18), when users install the free Hola client application, they're also installing software from Luminati, a sister company of Hola that sells access to residential IP addresses.
Luminati's clients appear to be primarily mobile advertisers, Trend Micro said, but they also include ad fraudsters, data scrapers and full-on cybercriminals, all of whom evade detection by hiding behind the IP addresses of unwitting Hola VPN clients.
"HolaVPN users' bandwidths are being sold via Luminati and could end up being part of botnet activity facilitated by the network," Trend Micro said in a blog posting introducing its report. "It could also enable cybercriminals to perform different illegal or unauthorized activities on users' machines."
If you're currently using Hola's free service, you might want to stop. Uninstalling the software may have to be done manually by deleting individual files, as Trend Micro said the uninstall tool provided with the Hola client software does not in fact do the job.
In a statement provided to Computer Business Review, Hola said that "the Trend Micro report is a sensational, irresponsible report, falsely suggesting that all VPN users want to hide their identity, and that the Luminati network is anything other than a fully legitimate transparency network. ... Hola is a Free unblocker which is used for seeing any content from any location. It is not a privacy VPN and does not purport to be so."
In 2015, Hola admitted that it sold the bandwidth of its free users to Luminati customers. However, the Trend Micro report is the first to look into who those customers are.
Hola advertises its free service as a "peer to peer" VPN service, implying that its users will be routed through each other's IP addresses to evade detection. The company website claims that Hola is used by "over 175 million people around the world," and the Android client app has been downloaded more than 10 million times.
A VPN with no encryption
Trend Micro noted that the traffic Hola carries is not encrypted at all, and that the client software is in fact "an unencrypted web proxy service."
"We found that traffic is mostly routed through roughly 1,000 super nodes in data centers," the report stated. "The vast majority of the traffic that is routed through the residential HolaVPN exit nodes is not generated by other HolaVPN users."
Rather, said Trend Micro, that traffic comes from Luminati customers, who pay the company for access to Hola customers' home networks. Such access is very valuable to persons engaged in online advertising fraud, which often consists of generating fake impressions on ads to boost revenue.
"Usage of the residential proxy network of Luminati cannot easily be detected by website owners and advertisers — the exit nodes are not known publicly," Trend Micro's report said. "IP addresses that are assigned to home users are often dynamic and not static. This means it is very hard to detect and block Luminati exit nodes."
Up to no good
Shady characters use those home IP addresses to get up to all sorts of dirty dealings, Trend Micro said.
"A substantial part of the Luminati traffic was related to the scraping of online content such as subscription-based scientific magazines, private contact details of physicians and attorneys, data on inmates, court documents in the U.S. and China, credit information, and even the Interpol's most wanted list," the report said.
"Airline reservation systems and websites that sell concert tickets were being accessed frequently via Luminati as well. Boarding passes, online check-in portals and Passenger Name Records (PNR) were accessed via Luminati in significant numbers."
Such activities fall foul of various copyright and privacy laws, but they're not dangerous in general. However, Trend Micro said full-on cybercriminals seemed to be using Luminati.
"Hackers have attempted to verify leaked webmail credentials via Luminati and have even tried to access the webmail of companies through the proxy network for an extended time period," the report said.
A back door into your network
There was no detection of actual malware being transmitted across the Luminati network, but the report says that "a user's machine, once installed with the free HolaVPN, will become one of Luminati's exit nodes."
"If the user's machine happens to be part of a corporate network, it's being an exit node may provide unknown third parties possible entry to company systems," Trend Micro said. "HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes."
Needless to say, the same would apply to home networks, which would be less tempting targets than enterprise networks but which could still yield valuable personal information such as credit-card numbers and online account credentials.