ngrok Accounts Now Require a Valid Payment Method to use TCP Endpoints

June 13, 2024
|
3
min read
Russ Savage

Starting today, ngrok requires a valid payment method in the form of a credit or debit card to be added to your account before you can use TCP endpoints. For free tier accounts, the card will not be charged, we are only using this as an additional verification step.

While we realize this may be frustrating to the users that rely on ngrok for remote access to their machines or gaming servers, it has become necessary due to bad actors attempting to leverage our platform for abusive malware campaigns. We are dedicated to making sure we can provide as much value in our free tier as possible, so we are hopeful this compromise will help us keep TCP available for free.

Ultimately, we decided to make this change in an effort to make the internet a safer place and to prevent abuse for everyone. We want to emphasize that your card will not be charged and will only be used to verify your identity. TCP endpoints will remain available on the free tier for all users with a valid payment method added to their accounts.

ngrok is being incorrectly flagged as malware

Since March 2024, we have seen a drastic increase in the number of reports that the ngrok agent is malicious and is being included in malware campaigns around the world. This has led to our ngrok agent binaries being flagged by antivirus companies as an indicator of compromise for a system. This leads to many companies mistaking the ngrok agent itself to be a malware tool, which it is not.

This has a ripple effect through our entire existing user base and also limits the adoption of ngrok for new users. 

Existing users who know and depend on the power of ngrok are unable to download and start the latest ngrok agents on their machines due to our software being automatically blocked by their antivirus tools. We have seen reports of the downloaded files immediately being deleted, or the binaries getting quarantined immediately when they are opened.

For new users to the platform, they are being incorrectly led to believe that our ngrok agent downloads are infected with a virus or malware, even though they are signed using public certificates.

While we have reached out to antivirus companies directly in an effort to mark these detections as false positives, since we release a new version of our software at least once a month, it has become a constantly moving target where even if we are successful in marking the detection as a false positive, that process has to start all over again every few weeks.

Steps we’ve taken to combat abuse at ngrok

We are constantly monitoring the usage of ngrok and looking for opportunities to keep bad actors off the platform while maintaining the ease of use that has helped ngrok grow to over 7 million developers.

First off, we have been signing all of our ngrok agent binaries with public certificates since version 3.1.0, which was released in September of 2022. As a user, you can verify that the binary you downloaded is not infected with a virus by looking at the certificate that was used to sign the software.

Starting in December 2023, we removed the ability to use ngrok without an account and over the past 6 months, we have also implemented a version support policy which explicitly blocks old less secure ngrok agents from connecting to the platform.

At the same time, we have implemented aggressive policies to block known bad signups to our platform from disposable domains and auto-generated emails. Every day we block thousands of signups to our platform in an effort to keep bad actors out.

In addition to this, we have ramped up our content scanning system to automatically ban accounts that are hosting phishing campaigns through ngrok. This has led to a significant reduction in the number of 3rd party reports of ngrok being used for phishing. We are also working with our payment provider to identify fraudulent credit cards and proactively block those users as well.

By moving TCP endpoints behind a valid payment method, we hope to reduce the likelihood that bad actors will use ngrok in their malware campaigns. We will be closely monitoring this change and look to add further restrictions if necessary. 

Abuse is constantly evolving, and we will continue to invest in fighting it

There are many other changes we’ve made over the years to combat abuse on our platform, and we will continue to invest in fighting to keep those bad actors out. We know that increasing the trust in the ngrok platform has a huge network effect for us and our users as they use and recommend our software to other developers. 

If you see ngrok being used for abuse, please let us know by sending the endpoint to abuse@ngrok.com so that we can take action as soon as possible. Reports to that email are handled in real time by a combination of humans and automation, and we aim to respond as quickly as possible. We can’t do this alone, so we are grateful for the amazing security community constantly on the lookout for bad actors on the internet.

Share this post
Russ Savage
Russ Savage is a Product Manager at ngrok & loves contributing to open-source projects. He was previously building developer tools and experiences at InfluxData
Product updates
TCP
Features
Production