Google, Hola VPN, and "Unusual traffic from your computer network"
This morning my organization's users were greeted with a captcha from Google along with a page stating the following:

"This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.

This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests. If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible."

Following the "Learn More" link provides an interesting bit of information:

"If the blocking started within the past few weeks, it is likely to be related to the use of the "Hola VPN" browser plugin, or a program for Mac/Win/Android/iOS. The best thing to do is to uninstall the Hola VPN from your computer or network."

We were able to identify two users on our network with the Hola VPN Chrome extension installed (interestingly enough it's still available in the Chrome web store). There have been several reports over the last few months about Hola VPN and related security issues:

https://torrentfreak.com/hola-vpn-sells-users-bandwidth-150528/

Our Proxy has hola.org blocked, but now I'm curious as to how Google identified these connections if they were in fact blocked. Is anyone familiar with the Hola VPN architecture and/or gateway IPs that we can look for in our logs? Perhaps there are others that experienced this recently?
Anonymous

I had the same issue a while back. I found that the browser plugin makes constant request to google subnets 216/58/216/0/24 and 74.125.196.0/24. The user agent it uses is called "hola_get" and looks like it constantly checks for connectivity.

So blocking the hola site will protect against users getting to the site but it wont help if users already have the plugin installed. If you have tipping point they have a filter for the plugin (#19877) or you could set an alert for the user agent and have your users uninstall the plugin as it triggers.

Session information:

GET /blank.html HTTP/1.1
Connection: Keep-Alive
Host: www.google.com
User-Agent: hola_get
Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!