Phony VPN Services Are Cashing in on America's War on Privacy
Don't look now, but online scammers are already hard at work taking advantage of newly signed legislation that allows Internet Service Providers to sell your online privacy, including your web browser history, to the highest bidder without your consent.
I received an email yesterday from a purported Virtual Private Network (VPN) provider called MySafeVPN claiming to be affiliated with Plex, the streaming media startup that I've written about many times in the past. The email led with ominous marketing speak alluding to "recent changes to US privacy bills, UK privacy laws, and more," asserting that Plex users concerned about their ISP gaining access to their download history should, you know, sign up for their VPN service. How convenient.
Intrigued by the email— Wait, Plex is getting into the VPN business? That seems… fake, and so does this email—I immediately forwarded the email to Scott Olechowski, Plex's co-founder and Chief Product Officer.
"I assume this isn't you guys?" I asked.
Olechowski replied two minutes later.
"This is *absolutely not* a Plex affiliated service or offering," he said. "If anything, it suggests that mysafevpn.com is super sketchy and we would recommend using almost any other VPN service with your Plex Media Server."
All of this got even more interesting when I discovered that former Boxee users (Plex and Boxee were rivals in the late 2000s; Samsung eventually bought and then shuttered Boxee in 2015) have received similar emails from MySafeVPN, this time claiming that Boxee was "back" as the VPN service, according to screenshots of these emails posted in the Plex message board.
What links Plex and Boxee, besides the fact that they were, once upon a time, rivals? Both of these services' message boards were hacked, Boxee's in April 2014 and Plex's in July 2015, exposing users' email addresses (and other data) to hackers.
Satnam Narang, Senior Security Response Manager, Norton by Symantec, told me that it's likely that MySafeVPN used the data from the hacked message boards to contact current and former Plex and Boxee users.
"Because it's being sent to current or former Plex users, it presents itself as credible even though it is not," Narang told me. "This could possibly convince users to provide personally identifiable information, financial information (credit cards) or result in direct financial loss (signing up for a 'subscription' and having their accounts debited but not being provided this VPN service)."
The story gets even weirder when I attempted to contact MySafeVPN, whose website, according to WHOIS records, was only created on March 30 and whose Twitter account has only two measly tweets. (If that's not suspicious enough, visiting the website also triggers an anti-virus warning, according to a user on the Plex message board.) An email sent April 3 to firstname.lastname@example.org seeking comment went unanswered so on the morning of April 4 I picked up the phone (well, used a VoIP app on my PC) and started making some calls.
A man answered the listed MySafeVPN phone number (877-745-1560) and we began a brief and strange conversation, which culminated in me asking how MySafeVPN was affiliated with Plex when Plex's co-founder and chief product officer said there was no affiliation. The man on the phone said there wasn't an official affiliation per se, but that "Plex devs" had built the service. Which, well, is completely the opposite of what the email said ("Plex media server has now released a new service called MySafeVPN.com.") Bizarrely, the man then claimed that if Plex didn't want its developers moonlighting as VPN engineers it should "take care of them better."
When I later relayed the above conversation to Olechowski, the Plex co-founder and chief product officer, he could only reply with one word: "Douchecanoes." Sad!
Now, a member of the Plex message board who goes by the handle tiefel did, in fact, try to subscribe to MySafeVPN, handing over $24.99 via PayPal for a three-month subscription. But, as he later told me via email, he "started to suspect the validity of MySafeVPN" when he couldn't find the actual VPN server to connect to. How about that? A company selling VPN service that doesn't actually offer a VPN server to connect to. That's some business model!
The MySafeVPN invoice, which tiefel shared with me (seen above), lists the main website as well as two additional pieces of juicy info: a second website (myhappiness.com) and an email address (email@example.com). The email, asking if Pav was also involved with MySafeVPN, went unanswered for about 30 minutes, while a phone number listed on myhappiness.com went straight to the voicemail of a woman named Emily. I left a message.
A short 30 minutes later a reply from firstname.lastname@example.org arrived in my inbox.
"Yes I am [involved with MySafeVPN], how can I help you?" read the email.
That's when my phone rang.
"Who do you think you are?" the man on the other end of the phone asked.
"Uh, what?" I stammered. "Wait, are you Pavel? Are you the same guy running MySafeVPN?"
"MySafe-What? What are you talking about?"
"MySafeVPN. A source who attempted to buy the VPN service sent me an invoice and it had your contact information on it. Are you the same guy? Are you sister companies or something?"
The man then claimed that I was breaking up, but I persisted.
"I'm curious as to why you're pretending to be affiliated with both Plex and Boxee, when Plex outright denies having anything to do with you and Boxee has been dead for two years."
The man proceeded to insult me, calling me all sorts of names including a "shit disturber," which I said didn't make any sense. He then asked me why I was even writing this story.
"Because you're trying to steal money from people by claiming to be something that you're not, that's why."
At this point, the man went ballistic, asking if I was bullied in middle school (I told him that I was bullied in elementary school but didn't see how that was relevant) and saying that the only reason I was writing the story was because the "Plex owner" would "wank me off" in exchange for some press. I laughed out loud because that was a baseless accusation. He then called me a "nerd in front of a computer," a charge I readily agreed with.
My new friend "Pav" then hung up on me.
But back to tiefel. After he contacted PayPal to get his money back, someone calling himself "Nick" from MySafeVPN texted him, according to a copy of the conversation that he sent me, saying he was happy to return his money—but not before trying the hard sell one last time.
"Are you sure you do not want to try the service?" Nick asked. "I have no problem refunding you but I don't want you to miss out because of some bad talk from corporate suits at plex."
Tiefel wasn't buying what Nick was selling, and PayPal processed the refund.
That online scammers are now attempting to piggyback on the confusion caused by the Donald Trump and the Republican Party's wholesale selling out of your online privacy shouldn't be too surprising: in the days after Congress passed the legislation, numerous outlets, including Motherboard, published guides on how to select and properly configure a VPN to minimize the risk of your private data being sold to the highest bidder (even if they can sometimes be difficult to use).
Satnam Narang, the Norton by Symantec security response manager, told me that "users should be skeptical on social media and via email of scammers looking to capitalize on their interest in VPNs." For a list of VPNs trusted by Motherboard, you can check out our guide here.
Stay vigilant, friends.
Update: April 6, 2017: VPN provider TunnelBear threatened MySafeVPN with a cease and desist after falsely claiming an association and email marketing provider MailChimp closed at least one of MySafeVPN's accounts. Read more here.
Update: April 7, 2017: MySafeVPN is no longer online.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.