Only a few days ago users starting noticing that PureVPN was hosting a malicious file on their blog. This file was obfuscated as a Microsoft office document. However, users found out that this file was infected with many dangerous components, including a windows password stealing trojan. Here are some screenshots of the examination of the file:
What does the hack mean?
Hosting a malicious file on a website is severe, as it could jeopardize the security of thousands of users who have access to the content–regardless of what part of the site it is hosted on, and in this case–it was the blog.
AirVPN, user Zhang888, contacted PureVPN the day of the hack to chat with support about the issue. However, support denied any allegations of the hack. Zhang asked PureVPN if they “were aware that [they] were hacked.” Pure VPN chat rep Daniel responded that he “is sorry for the inconvenience” and that Zhang should contact the email support. Upon further examination from Zhang, rep Daniel repeatedly denied any hack attempts or that PureVPN hosted malware. There is no question, however, that PureVPN was indeed hosting the file, as seen in this video proof.
Issues like these, regardless of their overall impact, are very concerning for users that rely on the service for their internet security and privacy. This also isn’t the first time PureVPN’s security has been called into question.
Earlier in 2013 PureVPN sent out an email from company founder Uzair Gadit–but after examination, it turned out that it wasn’t him at all. Gadit explained the issue by claiming it was a ” zero-day exploit breach found in WHMcs; 3rd party CRM that we use on our website.”
This malicious file was hosted on blog.purevpn.com/vpn_reqs.doc. As of now, the file and URL seem to be inactive. We will update this post when PureVPN replies to our inquiry about what happened the day of the issue.
UPDATE 4/14/2016:
PureVPN responded to the issue. Fahad Ali, head of strategic partnerships, told us to “keep in mind the blog people are talking about is blog.purevpn.com/tr/ which is an abandoned experiment by our marketing team for the Turkish region. Secondly, this experimental blog was never hosted on infrastructure managed by PureVPN. PureVPN’s staff worked with third-party and had this small VPS hosted for a specific reason, and for a specific time frame. In short, it has minimal-to-no impact whatsoever.
Useful articles:
How to Pay for VPN Anonymously
Infographic Guide to Internet Privacy