Private cyber security company Bitdefender has revealed information about Iranian spyware that steals people’s sensitive information through VPN software.
A Romanian company has reported efforts by the Iranian regime to swindle information about people using virtual private networks, or VPNs.
Iran has been filtering internet content for more than two decades, but in the past four months, amid anti-government protests, the government has regularly shut down access and blocked popular apps like Instagram and WhatsApp.
While most people around the world take Internet access for granted, users in Iran must try dozens of apps and VPNs before finding a way to bypass ISP restrictions. While some VPNs are fake or blocked, there are others that have been intentionally blocked by malware, such as 20Speed VPN. This spyware enters the victim’s computer when the user installs a file that violates the filter.
Since 2020, when people started working remotely from home, the problem of monitoring the performance and productivity of the employees of enterprises appeared. The solution comes in the form of monitoring software. One of the companies offering such services is SecondEye, which has many capabilities that include not only screen recording, keystrokes, and live screen viewing. The monitoring software was developed in Iran and is legally distributed through the developer’s website.
At the beginning of the year, Blackpoint Cyber, which specializes in stopping cyberthreats, identified and responded to two identical suspicious File Transfer Protocol (FTP) incidents connected to a server in Iran over a two-month period. This server has been identified as belonging to SecondEye.
Researchers at Bitdefender, as well as Blackpoint, have discovered a malware campaign that uses components of the SecondEye package and their infrastructure to spy on users of the Iran-based VPN service 20Speed, but via the program’s trojan-like installers. VPN software that installs spyware components along with the VPN product. The software, as well as the other product EyeSpy, has the ability to completely compromise online privacy by keylogging and stealing sensitive data such as documents, images, crypto wallets, and passwords.
Take a screenshot of the homepage of 20Speed VPN, which masquerades as a normal VPN that accesses a victim’s computer and steals their sensitive data
The campaign began in May 2022, but detections peaked in August and September as Iranians rushed to use VPNs to bypass government restrictions. Most of the new detections originate from Iran, with a small pool of victims in Germany and the United States.
The 20Speed website is one of the most popular websites for Iranians to purchase VPN subscriptions. The website has been active among Iranian users for nearly 7 years. But if its VPN is full of malware and collects personal data, the company can’t protect it from Iran’s intelligence services, which can simply request and receive access.
According to US-based Similarweb, which reviews and analyzes website statistics worldwide and provides behind-the-scenes analytics for every site online, 20Speed’s main website received nearly one million visits in the three months ended. In December 2022, most of them are from Iran. Moreover, the Android version of this VPN, which is also available on the Google Play Store, has over 100,000 active installs.
In early January, the Islamic Republic decided to take action against those who sell VPNs to people and those who circumvent the software. It further restricts access to the Internet. The Justice Department, along with the Communications Ministry, will take legal action against “unauthorized vendors of VPNs and circumvention tools,” local media reported. This is a measure to clamp down on real VPNs against software that the government can monitor.
Almost all companies selling VPN services within Iran are affiliated with the government or government organizations. Most of these companies have raised their fees dramatically over the past three months, when Iranians have rushed to buy them to access the Internet. Many Iranians cannot afford the higher prices for VPNs as the price of food and other necessities has skyrocketed.
In the long term, if this trend continues, it is possible that low-income people will gradually lose access to the global Internet, similar to what is happening in China and these days in Russia. The security of such services is another issue, as the Islamic Republic can easily access any information that users access through a VPN.
Iranians’ use of VPNs rose more than 3,000 percent in September, when Mahsa Ami was killed, amid increasing restrictions on Internet access.
“Daily demand VPN services in Iran have increased by more than 3000% compared to before the protests,” Simon Migliano, head of research at Top10VPN, told Axios, adding, “Given that demand was already healthy before social media was shut down, this is a huge jump.”