So this happened yesterday and I am a bit puzzled at how it happened, let me explain:
Yesterday, I was working from home as usual and I needed to reply to a message on LinkedIn so I logged into it in my personal computer. While I was there I saw a notification telling me that the access to LinkedIn Learning provided by my employer needs to be activated and I must do so before some date, so I followed in and logged in. It asked me for my employer’s network login credentials, so I entered email and password. It allowed me in, I could see all the courses I had half-way, nothing special. I carried on with my day.
A couple hours later I get a message from IT asking me if someone had logged into my account from a NordVPN IP. I told them it was me and my account had not been compromised. But I am puzzled, how could they know that my IP was owned by NordVPN? In my personal computer I always connect to the internet via this VPN, it’s correct, but I entered the IP address they had logged in a “who owns this IP” website I found and it pointed to a more generic internet organization, not a VPN provider much less NordVPN.
Someone knows how could they know that? I’d say I know the basics regarding online privacy but that’s about it.
This is off topic, but NordVPN is the absolute pinnacle of false advertising and untrustworthiness. You probably do not want to use them if you care about your traffic’s privacy.
Easy, NordVPN is famous, so Security firms crawl the VPN network and find almost all IP they’d use for VPN and put them on a list.
When you login to your employer’s network, this triggers a red flag - because this is a new IP that’s different from where you usually login from - and they confirmed it was from NordVPN.
This sounds like lots of work involved but this is what sys admins and infosec guys do.
But I am puzzled, how could they know that my IP was owned by NordVPN?
Suspected VPN IP’s are tracked, because they can be more problematic to the owner of the site/service that a VPN user is visiting. For example VPNs can allow user’s to bypass geographical limitations (netflix). Also malicious users often use VPN’s in attempt to make their activities more difficult to trace. Some organizations will add captcha’s if they suspect vpn (because malicious users are more likely to use automated access). Some organizations (banking) may prohibit vpn. Organizations tend to react even more severely to TOR than to VPN.
but I entered the IP address they had logged in a “who owns this IP” website I found and it pointed to a more generic internet organization, not a VPN provider much less NordVPN.
Multiple organizations compile lists of known / suspected vpn addresses. Not all lists are the same or equally comprehensive. I’d suspect the free data is not necessarily the highest quality data. The article below provides additional details about things like port scanning that can identify vpn https://vpnapi.io/article/how-to-identify-vpn-ip-address/
Apparently some security solutions own a list of vpn IPs list (same as how tor node is identified), however, some of the IPs are really owned by the vpn company, but more than that, almost every vpn provider rent machine and IP from vps provider like M247.
After you connected to NordVPN, can you visit https://www.ip2proxy.com and see if it detects your IP address as from NordVPN? If yes, your IT might be using their service.
There’s no point in logging into any account associated with your info while using a VPN.
If you are concerned about your privacy, i suggest you to study some networking basics so you can make good choices about this matter.
False advertising? how is that? They’re one of the bigger players out there, but I haven’t heard of anything too bad about them in terms of untrustworthiness.
Of course that they will sell my data if the government comes knocking, but other than that, how are they tricking people? Is there any report? I would be thankful for the info.
Indeed, all that you say is true. I don’t really care about them knowing which IP I come from since that’s why I use the VPN anyway. This was also my personal computer, so my employer knowing or not whether I use VPN on my personal computer shouldn’t be their business. My question was more about how did they know that this IP belongs to NordVPN when I cannot find that online anywhere.
Do they keep lists of IP addresses and who owns or is thought to own them?
Thanks! The info shown in those websites comes from some kind of library, doesn’t it? I mean the IP number alone doesn’t have that much info in itself.
First, they make claims they don’t prove. They claim they don’t keep logs but they aren’t open source and they only ever refer to an unnamed consulting firms investigation as their evidence.
Next, they were compromised, knew they were compromised, and took a year to inform users. This shows a lack of trustworthiness. They are “one of the major players” because they spend massive amounts on advertising. Everything they do is shady and untrustworthy, and they seem to be highly focused on profits which isn’t good if you are looking at it from a security perspective.
Oh yes, definitely. Commercial VPNs are considered high risk in the enterprise world because of their potential to help mask adversaries.
On the proxycheck.io site, go to the “Threats” section and enter your NordVPN IP address. I bet it’ll get a “Risk Score: 73% - VERY DANGEROUS” rating, the same as what I get with Mullvad or IVPN. You can also visit their blog for more knowledge. There a blog entry there titled “Our 2021 Retrospective” which should give you an idea of how they operate.
There are databases that contain IP pools, the providers they’re associated with, the customers of those providers (Nord in your case), and cross reference them with other databases containing various details like company contact details, ownership, company policies, and possibly even litigation history. The APIs just check the IP address against these databases and connect all the data points.
Everytime we connect to any website our ip address is sent to the server, so Linkedin knows where you logged from.
I don’t know how your employer gets this information, but supposing that Linkedin allows him to do that, it’s not hard to discover if an ip is a VPN’s one.
Just google “ip reputation lookup” and you’ll find plenty of resources to check if any ip address belongs to a VPN.
Services like Netflix do this natively to block people from watching geo restricted content.
Thanks!! So there are “libraries” of IPs that they can access and check, that’s how! I’d suspect something like that since I didn’t know that the ownership was something you could tell from the IP number alone, without looking it up anywhere.
how is that? They’re one of the bigger players out there, but I haven’t heard of anything too bad about them in terms of untrustworthiness.