SINGAPORE, June 3 — A man from China was recently arrested in Singapore for allegedly infecting millions of computers around the world with malware bundled in free Virtual Private Network (VPN) programmes.
Wang Yunhe, 35, was arrested on May 24 in a multi-jurisdiction operation led by the United States Department of Justice (DOJ). The Singapore Police Force was among the law enforcement agencies involved in his arrest.
VPN services allow users to browse privately or access content on streaming websites that may be blocked in certain places.
Advertisement
The DOJ said in a press release on May 24 that Wang allegedly bundled the malware through VPN programmes such as MaskVPN and DewVPN, and also with pirated software.
He allegedly disseminated the malware to amass a network of millions of infected Windows computers in homes worldwide and created a residential proxy service known as “911 S5”.
A residential proxy service allows someone to rent a home IP address to use it as a relay for their internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.
Advertisement
The infected devices were associated with “more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States”, said the press release.
IP address refers to a unique string of numbers used to identify each computer or device.
Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.
These criminals used the hijacked computers to conceal their identities and commit various crimes. These included financial crimes, stalking, transmitting bomb threats, illegal exportation of goods, and receiving and sending child exploitation materials.
From 2018 until July 2022, Wang allegedly received approximately US$99 million (RM465 million) from selling the hijacked proxied IP addresses, either in cryptocurrency or fiat currency.
He used the illicit proceeds to buy property in the United States, St Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.
TODAY spoke to cyber security experts to understand the risks around free VPN programmes and how users can better protect themselves against malware.
What is VPN and how popular is it in Singapore?
VPN is a type of software that creates a virtual encrypted tunnel over the Internet, said Mr Kevin Reed, chief information security officer at technology firm Acronis.
A virtual encrypted tunnel is a secure, private pathway on the internet that keeps data safe and hidden from others while browsing.
This allows companies to provide remote access for their employees to corporate services, said Mr Reed.
Mr Kenny Yeo, who heads the Asia Pacific cybersecurity practice at consultancy firm Frost & Sullivan, added: “For business users, VPN is a crucial security tool that allows for secure connections to central IT resources and data.
“This security control has been around for a long time and is commonplace in corporate environments.”
However, experts said VPNs are used differently in non-business environments.
Most individuals use VPN services to protect their online privacy or circumvent geo-locked content restrictions on streaming websites. For example, someone in Singapore could use such a service to watch content that can only be viewed in the United Kingdom.
“It is this allure of restricted content that cybercriminals are tapping, with the promise of unknown downloads or apps providing access,” said Mr Yeo.
A 2023 survey commissioned by VPN provider NordVPN found that Singapore is one of the top locations globally, alongside Hong Kong and Malaysia in terms of VPN usage.
The survey also found that respondents in the three places are also the most enthusiastic users of free VPNs.
The survey was conducted between January and October last year, involving 54,625 respondents across 20 countries.
In 2018, consumer research firm GlobalWebIndex surveyed 138,962 internet users aged 16 to 64 across 40 countries and found that 45 per cent of Singapore users would use VPN to access better entertainment content.
How bad actors make use of free VPN
A common security risk associated with free VPNs is that there can be “limited or no confidentiality” regarding data privacy, said Associate Professor Razwana Begum from the Singapore University of Social Sciences (SUSS).
“The data can be sold to others for profit, and IP addresses can be leaked to bad actors,” said Assoc Prof Begum, who is from SUSS’ School of Humanities and Behavioural Sciences.
She added that such VPNs often have limited encryption and weak data protection protocols, which are inadequate to protect against hackers, surveillance or other threats.
Mr Reed from Acronis added that installing a free VPN service is akin to allowing “unknown, unvetted software running on your laptop”.
Running any VPN service has costs like maintenance or dealing with complaints and there needs to be a way to cover these costs, he said.
“If the VPN user is not paying, they are not customers. It’s fair to ask, who is the customer then?” added Mr Reed.
“Free VPN services can sell your information, like browsing data, which is already intrusive, but they can also try to do other, more damaging things, as we have witnessed in this case.”
However, not all free VPNs necessarily pose a more significant risk than paid services, other experts noted.
Mr Ali Fazeli, a cybersecurity expert at cybersecurity research and development company Nexvision Lab, said: “Not all free VPN services are ‘bad’ or cause security issues. It is those containing malicious software or fake VPNs that can be dangerous.”
This was the case for Wang, who allegedly created websites offering free VPN services and packaged them within pirated video games and software that victims downloaded on their devices.
Mr Fazeli said such programmes might use “man-in-the-middle attacks”, where attackers intercept and change communications between a user and the VPN server. This can lead to data breaches and compromised security.
Once a download was complete, the VPN application and proxy backdoor were both installed silently on victims’ devices without their consent, said Mr Fazeli.
“A proxy backdoor is a hidden way for someone to control the user’s computer or network without the user’s permission,” he added.
This “backdoor” enabled Wang to re-route criminals’ devices through the victims’ ones and allowed the criminals to carry out illegal activities.
How VPN users can stay safe
Mr Reed from Acronis said it is “hard to impossible for an average person to distinguish benign VPNs from malicious ones”.
“One can assume that their traffic information will be almost always resold by the VPN provider for an extra small profit,” he added.
As such, users should take precautions and conduct their due diligence before using any VPN.
“First, users should avoid downloading pirated software, games, or movies because they can contain harmful codes,” said Mr Fazeli. “If users want to use a VPN, I suggest using one with good reviews for added security.”
Other ways to stay safe are to pick a VPN with a good reputation and checking reviews and ratings from trusted sources to see what others think about it.
Mr Reed added that this includes whether the VPN provider has a history of independent audits and a legally binding privacy policy.
Experts also said users should download software from official sources such as the company’s website, Google Play Store, or Apple App Store to minimise risks.
While there are reliable free VPN services, there are also cases where the offer can be too good to be true.
“Running VPN servers is expensive,” said Mr Fazeli. “Free VPNs often make money through advertisements, data logging, or selling your information. Be cautious with free services.”
Assoc Prof Begum added that users should consider the need for VPNs at all, especially if they are used at work and when dealing with sensitive data.
She added: “If it is for a normal, routine search, a free VPN can be considered, but the user must understand the danger.
“They must also be vigilant with cyber hygiene and security — downloading anti-virus and anti-malware, and not opening unknown emails or links.” — TODAY
