Recent reports have highlighted yet another fake VPN that is trying to lure unsuspecting users into downloading two rather nasty trojans.
The latest fake free VPN
The VPN in question is known as InterVPN.
It has a smart looking website which claims it is the fastest VPN around and protects its user's privacy by making them completely anonymous online.
In actual fact, images used on the website have been stolen from another VPN, known as VPN Pro, a free VPN, and there is no real InterVPN software available.
Instead, when you download InterVPN, you will, in fact, be downloading an infected version of VPN Pro. It has been injected with one of two trojans, depending on what the site is pushing at the time of your visit.
The AutoHotKey script in the VPN software then connects to ‘iplogger.org’. It will then downloads either the Vidar or the CryptBot trojans from another site called bitbucket.org.
Both of these trojans will scan your device for saved browser credentials and cookies. They will also search for cryptocurrency wallets, text files, and anywhere else where you might have stored passwords or login details. They can even take screengrabs while you are using the device.
It is almost impossible for you to know that this is happening as it all takes place in the background and the VPN Pro software continues to operate as normal in the foreground.
Because it is a free VPN, if users are happy with it, the chances are they will continue to use it for a long time, giving the trojans plenty of time to steal what they want.
How to avoid InterVPN and other malicious providers
At the risk of banging the same drum again, the best piece of advice to avoid falling victim to scams of this kind is to not use free VPNs.
We have warned many times in the past about how these supposedly free VPNs can pose a massive security risk. Many sell your data to unidentified third parties, work more as adware than VPNs, and have links to Communist China.
Cybersecurity experts are also warning people against downloading any VPNs that they come across on forums, message boards, and social media accounts. These platforms often boast fake reviews, false claims, and unreliable content.
If you want a VPN, you should only ever download content from official websites or credible VPN review sites like VPNCompare.co.uk.
You should also avoid free VPNs like VPN Pro and InterVPN at all costs and instead pay just a couple of pounds a month for a premium VPN that offers a high quality and secure VPN service.
Linux VPN security warning
While avoiding security risks from free VPNs is fairly simple to do (don’t use them), researchers from the University of Mexico have recently revealed a broader VPN security concern.
The vulnerability affects most Linux and Unix-like operating systems and potentially allows a hacker to not only identify if a user is connected to a VPN but also possibly hijack their connection.
It is believed that OpenVPN, WireGuard, and IKEv2/IPSec connections are all potentially at risk.
According to the researchers, the vulnerability “allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.”
They can also determine the exact sequence and acknowledgement numbers by counting encrypted packets or examining their size. With this information, they would then be able to inject arbitrary data payloads into IPv4 and IPv6 TCP streams.
The researchers determined that this vulnerability did not affect any Linux distribution earlier than Ubuntu 19.10. They have specified that all versions that use ‘systemd’ released and were released after November 28th last year, and also have their rp_filter (reverse path filtering) set to “loose” by default, are vulnerable.
The people behind WireGuard have already stressed that this isn’t a vulnerability with their protocol but does affect users because of how it is exploited in devices that are using WireGuard.
No fix yet – so here’s how to stay safe
At the time of writing, there are no further details on the vulnerability available and that is because no patch or permanent solution has yet been developed.
There are three mitigations which the researchers behind this discovery have suggested to minimise the risk of your VPN connection being compromised.
They recommend that you ‘turn Linux reverse path filtering on'. It has been set to off by default in all versions of Linux software for the past twelve months.
You should also ‘filter traffic for bogus IP addresses (also called bogons)' which can limit vulnerabilities but will also potentially stop some legitimate traffic too.
They have also called on VPN’s themselves to ‘encrypt packet size and timing'.
So far the following systems are known to be vulnerable to this type of attack. Be aware that this list may not be exhaustive:
- Ubuntu 19.10 (systemd)
- Fedora (systemd)
- Debian 10.2 (systemd)
- Arch 2019.05 (systemd)
- Manjaro 18.1.1 (systemd)
- Devuan (sysV init)
- MX Linux 19 (Mepis+antiX)
- Void Linux (runit)
- Slackware 14.2 (rc.d)
- Deepin (rc.d)
- FreeBSD (rc.d)
- OpenBSD (rc.d)
The best advice to VPN users who are worried that their connection may be vulnerable is to keep their Linux operating systems updated as regularly as possible.
As soon as a fix for this vulnerability has been identified, it will be pushed out, meaning it is the best way to get your connection secured as fast as possible.