I’ve Somehow Become Embroiled In a Byzantine VPN Scam
Does not compute.
If there's one nice thing you can say about the folks behind MySafeVPN, it's that they're extraordinarily persistent.
Overnight an email landed in my inbox from someone claiming to be Nicholas Levvy, announcing with great fanfare the launch of a "new VPN privacy service" called MyVPNHouse. Tucked in the email is the promise that, with MyVPNHouse, users of popular apps and platforms like Kodi (formerly known as XBMC), Plex, Windows, and Android will be able to "browse freely, stream freely, [and] download freely."
Things not mentioned in the email that maybe should have: MyVPNHouse resolves to MySafeVPN, and the customer service phone number is the same number I called earlier this week—only to be insulted repeatedly by the man on the other end of the line.
Of course, as Motherboard reported earlier this week, MySafeVPN appeared from out of nowhere on Monday, April 3, falsely claiming to be a new VPN service from streaming media startup Plex (though the one customer we spoke with who attempted to purchase the service never received it). Subsequent emails showed the people behind MySafeVPN also claiming affiliation with Boxee, a similar streaming media startup that Samsung acquired and then shut down in 2015. The whole situation has even spawned a parody fan account.
The folks behind this MySafeVPN/MyVPNHouse deception are merely tapping into the confusion and fear caused by President Trump and his Republican allies, who last week rammed through legislation to gut FCC online privacy protections that were scheduled to come into force later this year. Without these protections, internet service providers won't need your permission to sell your private data, including history, to the higher bidder (though, to be fair, multiple ISPs, including Comcast and Verizon, have claimed they have no current plans to do so). As such, there's been a renewed interest from the American press and public in VPNs, virtual private networks, which route your browser traffic through other countries, obscuring your activity from your provider and whoever they might want to sell it to.
But wait, there's more!
Listed at the bottom of the email (and seen above) is the supposed mailing address for MyVPNHouse. That address, it turns out, leads to a car rental place in Miami called Fox Rent A Car. Here's what it looks like on Google Street View:
Unfortunately, repeated calls this morning to Fox Rent A Car went unanswered, but I was treated to some delightful classical music while on hold for the better part of an hour. ¯\_(ツ)_/¯
You may also have noticed the name "tunnel bear" in the supplied Miami, Florida address. I'm sure you can guess where this is going.
"TunnelBear doesn't have any relationship with these fraudsters in any way," company co-founder Ryan Dochuk told me by email. "I'm not sure why they choose TunnelBear other than we're a popular solution during the recent ISP privacy rules change and they want to try and take [advantage]."
Dochuk, who noted that he sent a trademark cease and desist to the people behind MyVPNHouse, said it was "infuriating" to see someone "fraudulently representing our service" after he and his team have worked "extremely hard to build a VPN service and brand that people can really trust."
I then decided to fire up Skype to ask MySafeVPN/MyVPNHouse, as a prospective customer, about this whole TunnelBear/Miami rental car situation. Luckily, he picked up.
"No no, that's just the campaign name for the email that we sent out," he told me, in reference to my question about TunnelBear being listed as the business address. I then pressed further, noting that TunnelBear on Twitter had publicly disavowed any connection to MySafeVPN/MyVPNHouse. Can that be explained?
"A lot of people mistakenly thought that the campaign name meant that we were trying to say that we're part of them but that's no in fact what we were saying. There is a mailing company called MailChimp. They are based in Florida and they sent the email out. Their system sent it out and that's why you see the Florida address."
MailChimp, for the record, is based in Atlanta. The company closed at least one account belonging to MySafeVPN/MyVPNHouse after I contacted its press department and said it would be taking additional steps to prevent "any potential further activity."
As I said earlier this week, if you receive any scammy-looking VPN invitations, please send them to me directly at email@example.com or tweet me @nicholasadeleon, and I'll look into them. There are plenty of legitimate VPN services out there, so it's imperative to make sure you chose someone you can trust.
Be vigilant, friends.
Subscribe to pluspluspodcast , Motherboard's new show about the people and machines that are building our future.