Ivacy and PureVPN, questionable business practices

December 04, 2016

One of my friends traveling to China recently asked me about some deals for VPN providers to bypass the Great Firewall and asked specifically about a few providers. Two of these caught my eye for a number of reasons, so let's start.

Locations

They share the same locations for the most part, and on top of that both participate in a very amusing practice of fake locations without disclosing that they're fake. These "locations" use falsified WHOIS information to spoof their location, while not having servers there. They are then advertised as actual locations. Here's an example from Ivacy.

airbears2-10-142-32-120:~ hzr$ traceroute lu1.dns2use.com
traceroute to lu.pointtoserver.com (104.250.173.4), 64 hops max, 52 byte packets
 1  xe-1/2/0-543.inr-306-sut.berkeley.edu (10.142.128.1)  1.499 ms  1.443 ms  1.117 ms
 2  t5-4.inr-202-reccev.berkeley.edu (128.32.0.58)  2.124 ms  1.642 ms  1.481 ms
 3  xe-5-2-0.inr-001-sut.berkeley.edu (128.32.0.66)  1.459 ms  1.601 ms  1.412 ms
 4  dc-sfo-agg-1--ucb-10ge.cenic.net (137.164.50.16)  2.356 ms  2.346 ms  2.358 ms
 5  dc-svl-agg4--sfo-agg1-10ge-2.cenic.net (137.164.22.7)  4.016 ms  3.945 ms  4.087 ms
 6  10-1-1-91.ear1.sanjose1.level3.net (4.15.122.45)  3.713 ms  4.197 ms  3.819 ms
 7  ae-1-9.edge2.sanjose3.level3.net (4.69.209.181)  4.120 ms  4.353 ms
    ae-3-19.edge2.sanjose3.level3.net (4.69.209.189)  4.057 ms
 8  xe-5-2-0.cr0-sjc1.ip4.gtt.net (77.67.69.97)  3.972 ms  4.188 ms
    tinet-level3-xe.sanjose3.level3.net (4.68.62.214)  4.122 ms
 9  et-7-3-0.cr1-atl1.ip4.gtt.net (89.149.182.237)  62.513 ms  62.435 ms  62.497 ms
10  as53889.xe-2-2-2-40.cr1.atl1.us.as4436.gtt.net (69.31.135.18)  62.523 ms  62.475 ms  62.718 ms
^C

airbears2-10-142-32-120:~ hzr$ ping 104.250.173.4
PING 104.250.173.4 (104.250.173.4): 56 data bytes
64 bytes from 104.250.173.4: icmp_seq=0 ttl=117 time=71.173 ms
64 bytes from 104.250.173.4: icmp_seq=1 ttl=117 time=72.093 ms
^C
--- 104.250.173.4 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 71.173/71.633/72.093/0.460 ms

I am reasonably sure that Luxembourg is not 60-70 milliseconds away from California. However, AS53889, Micfo LLC, just so happens to have a datacentre in Atlanta that is also announcing that /24 prefix.

Same goes for another randomly picked location, Turkey.

airbears2-10-142-32-120:~ hzr$ ping tr1.dns2use.com
PING tr.pointtoserver.com (192.241.70.172): 56 data bytes
64 bytes from 192.241.70.172: icmp_seq=0 ttl=108 time=72.314 ms
64 bytes from 192.241.70.172: icmp_seq=1 ttl=108 time=72.010 ms
64 bytes from 192.241.70.172: icmp_seq=2 ttl=108 time=73.958 ms
^C
--- 192.241.70.172 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 72.010/72.761/73.958/0.856 ms

72ms from California to Turkey is generally not a thing. However, that seems about right for Colocrossing Buffalo, NY, which announces this prefix via reseller B2 Net Solutions.

To their credit, some locations are actually marked with hostnames beginning with vl (presumably meaning virtual location), but a large amount of the ones that are not marked as such (and should be really present there) are actually one of those fake locations. Most of the "VL" IPs are directly owned by PureVPN and have a netname of PUREVPN. However:

Both of these, the "fake" and "real" locations, aren't in Sweden. In fact, they even have the same IP.

$ host vlus-se1.dns2use.com
vlus-se1.dns2use.com is an alias for vlus-se.pointtoserver.com.
vlus-se.pointtoserver.com has address 206.123.139.2
vlus-se.pointtoserver.com has address 198.56.192.68
vlus-se.pointtoserver.com has address 23.247.232.3
vlus-se.pointtoserver.com has address 23.247.232.131
vlus-se.pointtoserver.com has address 104.243.247.189

$ host se1.dns2use.com
se1.dns2use.com is an alias for se.pointtoserver.com.
se.pointtoserver.com has address 198.56.192.68

At cursory glance of just a random selection, a huge amount of their locations are not actual locations. Even after removing all the vl-hostnames, a large amount of the non-vl hostnames still resolve to mostly US-based providers (Pakistan is Micfo, Atlanta, GA, US; Venezuela is Micfo, Atlanta; UAE is Ecatel/Quasi Networks, Amsterdam, Netherlands; etc).

Pretty much, you're not getting the locations you paid for.

Just some similarities

Here's Ivacy's Windows app, from their own support page.

Ivacy's Windows app

Here's PureVPN's app.

PureVPN's Windows app

See any similarities? Additionally, almost all (if not all) of the locations directly point from Ivacy to PureVPN - dns2use is Ivacy's domain, pointtoserver is PureVPN's domain for server hostnames.

$ host ch1.dns2use.com
ch1.dns2use.com is an alias for ch.pointtoserver.com.
  • Nowhere on Ivacy's site do they disclose the fact that your traffic is traversing PureVPN's network, domains, hostnames, or more (or disclose their connections).
  • Ivacy is also well known on reddit for deceptive marketing.
  • Ivacy appears to be banned from Slickdeals, likely for shill/spam. If you Google for the term site:slickdeals.net "ivacy", you'll notice several threads that are now deleted. If you view the cached copy, you will notice that the usernames posting them are random combinations of female FirstLast, new signups, and only post Ivacy comments.
  • PureVPN has the same deal. Search for site:slickdeals.net "It just caught my eye on Facebook" + "purevpn" and NicoleB4285, and PeterS3066, and "AshleyJ6475", and JeffD1766.