Fake copy of NordVPN website spreads info-stealing banking trojan

Researchers discovered a clone of NordVPN site designed to deploy banking Trojan Win32.Bolik.2

Banking trojan Bolik being spread by the same unknown group on the copy of popular VPN site.

Hackers managed to create a fake copy of a popular VPN client site NordVPN to deliver a new and updated version of a known banking trojan.^[1] The same group of attackers that already breached a free multimedia editor VSDC to deliver banking malware, now changed their tactics to clone the website instead of using the legitimate page with malicious download links.^[2]

According to Dr.Web research team reports,^[3] the fake NordVPN site was launched on August 8th and already has drawn thousands of visitors to download the malware, which consequently resulted in sensitive data exposure.

To disguise the malicious background activity, hackers programmed the malicious payload to be installed together with a real copy of NordVPN. Unfortunately, what victims believe the be genuine installation, actually is a compilation of malware, which includes Win32.Bolik.2 banking Trojan alongside Trojan.PWS.Stealer.26645.

The version of the Bolik Trojan distributed with this campaign has more functions than the previous Win32.Bolik.1 variant that was delivered earlier this year, as experts explain:

The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.

The VPN website cloned with all the identical features like colors and even a valid SSL certificate

Although the visual similarities are the most important when trying to trick people into visiting a cloned site and downloading the infected installer, this copy of a genuine NordVPN site incorporates much more than that. Alongside all the original site colors, over design, fonts, easily mistakable domain name nord-vpn.club, the cloned website also had a valid SSL certificate issued by open certificate authority Let's Encrypt.

All these features made the copy look like legitimate and reliable VPN client download site – it also allowed the deceive various web browser security checks and users' eyes. The site has been getting clicks, and many English-speaking users became victims of this data-stealing malware.^[4] According to researchers, such success can increase the rise of other cloned websites with similar purposes.

Possible red flags: features that the real NordVPN doesn't have

After many media reports, Head of Public Relations at NordVPN, Laura Tyrell stated that the company fell victim for scammer campaign. Such criminals love to impersonate trusted companies to gain financial profits or steal money and information, as well as infect users' PCs with malware. People should be aware of such tactics and take precautionary measures, as she noted:

Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.

These are essential things to note in the future:

• The company only sells VPN client accounts on the official site. Legitimate accounts cannot be distributed on any other websites or stores.
• The official and core website is nordvpn.com, and any other redirects are not coming from the legitimate provider.
• Support team or any other representatives are not asking for passwords or sensitive information.
• Be aware that password change emails also may be fraudulent.
• All the official emails from the staff of the company come with @nordvpn.com, @nordvpnmedia.com, or @nordvpnbusiness.com.
• No company, including NordVPN, does not make phone calls or suggest to call such services via pop-ups or unofficial platforms and pages. Beware of tech support scams that may ask for your name, email addresses, or even payments.^[5]