VPN security

The recent troubles with VPNs that undermine users’ security

Founder, Privacy PC

Author Bio ▼

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.
July 24, 2019


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

A virtual private network isn’t only an indispensable part of a privacy-minded user’s toolkit.

It’s also becoming a mainstream instrument suitable for various purposes.

Some people opt for these services to access geo-restricted content, some do it for safe torrenting, and others want to avoid data caps. As a matter of fact, the potential uses go far beyond private web surfing.

The VPN industry is booming – and cybercriminals’ interest has been piqued. For the average user, this technology evokes trust because it’s marketed as a reliable barrier between their sensitive information and the internet.

It’s this trust that threat actors try to exploit, using malware campaigns to exploit people’s confidence in the hassle-free virtual private networking experience. The recently unveiled attack vectors demonstrate how intricate the crooks’ tactics can get.

Rogue VPN tool promoting an info stealer

In early May 2019, security analysts came across a malware-riddled VPN application called Pirate Chick. On the face of it, this tool looks just like a commonplace VPN with a three-month trial lure and no credit card requirements.

It has a nifty official website containing terms of service and privacy policy that add shades of legitimacy to the solution. All of this is just the tip of the iceberg, though.

Upon a bit of closer inspection, Pirate Chick turned out to have a surreptitious feature on board. It establishes a furtive connection with a remote server and downloads harmful entities behind the user’s back. One of such unwelcome payloads is an info-stealing Trojan codenamed AZORult.

At the first stage of the incursion, the booby-trapped VPN installer performs a series of checks on the host. It starts by scanning the computer for popular traffic analysis and debugging tools, such as Wireshark, Fiddler, and Process Hacker. If any of these is found, the Trojan won’t be installed.

Then, the dodgy setup client determines the would-be victim’s location based on their IP address. If the country is Russia, Belarus, Kazakhstan, or Ukraine, the malicious phase of the stratagem won’t take effect. It doesn’t get triggered either if the installation is performed on a virtual machine.

In case the stars align for the criminals and the target system meets all the shady criteria, the rogue utility downloads a sketchy entity in TXT format from piratechickvpn.com and de-obfuscates the string via a base64 decoding routine.

Until recently, the resulting fully-fledged executable was the AZORult password-stealing infection, although the current binary is for the legit Sysinternals Process Monitor program (procmon.exe).

However, researchers believe the latter is temporary padding in the malicious campaign that can be superseded by an arbitrary piece of malware at any time.

It’s only after the covert payload is downloaded and launched on the computer that the actual Pirate Chick VPN setup screen appears. All in all, it seems to be just a red herring that distracts the victim from the hidden menace.

The distribution of this controversial VPN tool relies on a bundling hoax, where users mostly get it alongside a phony Flash Player update. The applet has a valid digital certificate, which allows it to slip below the radar of AV suites.

Mobile VPNs pushed by misleading alerts

In a large-scale wave of malvertising discovered in April 2019, devious affiliates of mobile VPN services have been duping smartphone users into purchasing the licenses for products they promote.

The unprincipled marketers’ tactic boils down to ads camouflaged as virus alerts or notifications about an ongoing hacker intrusion aimed at tracking the victim’s activity on the device. A vast majority of the targets are iPhone users.

To set this scam in motion, the fraudsters take advantage of ad networks with a dubious reputation. They purchase campaigns that redirect users to faux landing pages containing the pseudo alerts.

The make-believe warnings that try to get victims on the hook come down to several scare themes.

One is about an alleged infestation of the smartphone with viruses; another one circles around a hacker tracking the victim, and yet another is about major corporations purportedly surveilling the user’s web browsing. Regardless of the category, the ads recommend installing a mobile VPN app to sort things out.

It’s unclear at this point whether the VPN software publishers are aware of this fishy promotion method utilized by their affiliates. One way or another, the fraud is currently in full swing. The takeaway from this ruse is to avoid falling for online ads that report “critical” issues to push VPN apps.

Gaping security hole found in multiple VPN apps

A report about a critical vulnerability affecting popular VPN services hit the headlines in mid-April 2019 and became a major concern for numerous end users and enterprises.

The imperfection has to do with insecure storage of sensitive data. The vendors that weren’t following proper information handling practices include such giants as Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure.

The flaw that quickly became the talk of the town turned out to be fairly prosaic: the vulnerable VPN products stored user authentication data or session cookies in memory or log files. To top it off, this information was retained in unencrypted form.

This could potentially expose the confidential records to being intercepted by hackers. This way, malefactors may be able to perpetrate MitM (Man-in-the-Middle) attacks and thereby gain a foothold on the target system to conduct reconnaissance or deposit malware.

Researchers have additionally stated that the faulty data storage issue could span a wide range of VPN tools beyond the original list, possibly hundreds of them.

Whereas Palo Alto Networks and Pulse Secure have since provided emergency patches, the products by Cisco and F5 Networks still appear to be susceptible to the problem at the time of writing. Under the circumstances, VPN users should consider enabling 2FA (two-factor authentication) or using OTP (one-time password) as their login method.


Any software or electronic system has weaknesses, even as intrinsically secure one as VPN. However, the pitfalls covered in this article should by no means discourage people from using virtual private network tools.

They are extremely useful for anonymous web browsing, avoiding location-based filters and thwarting all forms of online surveillance.

Some extra caution is certainly worthwhile, though. Users should do their homework and examine the reputation as well as possible vulnerabilities of a VPN service before opting for it.

Furthermore, the installation should be a matter of an informed decision rather than an outcome of pressure stemming from deceptive online ads.

Notify of
Inline Feedbacks
View all comments