1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Popular VPN site cloned to spread malware

By midian182 · 7 replies
Aug 21, 2019
Post New Reply
  1. Researchers at Doctor Web’s virus lab discovered that criminals created a website that was a copy of the one belonging to virtual private network service NordVPN. This nord-vpn[.]club website, which is currently inaccessible, was almost identical to the official nordvpn.com site.

    To make this cloned website appear more legitimate and help it pass browser security checks, it had a valid SSL certificate that was issued by open certificate authority Let’s Encrypt.

    Visitors to the fake website were prompted to download NordVPN's client. The real program was installed to avoid suspicion, but the the Win32.Bolik.2 banking Trojan was downloaded alongside it, infecting a user’s system.

    “The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems,” the Doctor Web report explains.

    Earlier this year, the hacking group behind this campaign compromised the website of free video editor VSDC to distribute the same banking trojan.

    NordVPN's Head of Public Relations, Laura Tyrell, gave the following statement to Bleeping Computer.

    Online scammers love to pretend to be trusted companies when trying to fool their victims. Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well. They do this to steal users’ money or infect their PCs with malware.

    Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.

    What NordVPN won’t do:

    • NordVPN only sells accounts on its official website. We only sell legitimate NordVPN accounts on our official website: https://nordvpn.com/. NordVPN can also be found in certain retailers' stores, the list is provided on the NordVPN’s website: https://nordvpn.com/retail/.
    • NordVPN won't send you to the wrong website. Scammers use websites that look like NordVPN’s to scam internet users. The core part of NordVPN’s webpage URL will always be https://nordvpn.com/. The only exception to this rule will be for users buying NordVPN in high surveillance countries that block our core website. If you're not sure whether the website you're seeing is a legitimate NordVPN website, contact our support team.
    • NordVPN representatives will never ask for your password. If someone posing as a NordVPN representative tries to find out your password, they are scammers. Also, be aware of fake password change emails. You should never disclose your password to anyone.
    • NordVPN won't use sketchy email addresses. NordVPN official email ends with @nordvpn.com and sometimes @nordvpnmedia.com or @nordvpnbusiness.com. We do not send emails from addresses like nordvpn@gmail.com or nordvpn@nord.com. However, hackers can easily fake a legitimate email address. To avoid gettings fooled, always check whether the link in an email redirects to a legitimate NordVPN website with a URL starting with https://nordvpn.com/.
    • NordVPN does not make phone calls. NordVPN’s official means of communication are email, the support chat on our website, our official Twitter (@NordVPN), or our official Facebook page: https://www.facebook.com/NordVPN/. Do not trust connections outside of these communication tools.

    Image credit: Denys Prykhodov via Shutterstock

    Permalink to story.

    Last edited: Aug 21, 2019
  2. Uncle Al

    Uncle Al TS Evangelist Posts: 5,677   +4,024

    The really surprising part of this story is that NordVPN wasn't the one that caught them. Most of these sites have some pretty hefty claims about security but if they aren't checking their own security on a daily basis, just how secure are they? Duplication of sites certainly is not new, in fact, one institution I work with has a routine list of checks and balances they go over 4 times per 8-hour shift. I understand that many out there automate this process, but the human factor tends to pick up on the subtleties that the computers miss.
    PEnnn and jobeard like this.
  3. Cycloid Torus

    Cycloid Torus Stone age computing - click on the rock below.. Posts: 4,135   +1,218

    In order to do business, companies will have to 'watch their six'. Sophisticated attacks like this are beyond most users capability to identify and avoid. As fraud costs rise, expect credit card companies to lean on legitimate vendors to co-operate heavily in identifying and protecting actual business identities.
  4. Capaill

    Capaill TS Evangelist Posts: 942   +523

    "NordVPN won't use sketchy email addresses. NordVPN official email ends with @nordvpn.com and sometimes @nordvpnmedia.com or @nordvpnbusiness.com. We do not send emails from addresses like ... nordvpn@nord.com."
    I think the fact that they have 3 legitimate email addresses already compromises their security and makes it harder to identify a fake 4th one.
    VBKing, TeddyBallgame and zorven like this.
  5. PEnnn

    PEnnn TS Addict Posts: 141   +116

    "it had a valid SSL certificate that was issued by open certificate authority Let’s Encrypt."

    Well, the gods of VPN (and any self-respecting website) know who to trust now.
  6. slamscaper

    slamscaper TS Addict Posts: 259   +72

    You know, NordVPN's CyberSec feature completely blocks techspot.com for some reason. You guys may wanna get on that.
  7. RobJoy

    RobJoy TS Rookie

    The NordVPN connections themselves have military grade security, so yeah it is secure.
    Their web portal, is another technology entirely. This is not an antivirus company which you COULD berate, and it would be totally understandable.
  8. slamscaper

    slamscaper TS Addict Posts: 259   +72

    This is why you ALWAYS want to double check the URL's when you click on any links in a Google search. Bookmark sites you will frequent if you need to go there to update. Thankfully NordVPN updates on it's own, but you still may need to get to the proper site one day if you need to reinstall from scratch. Be careful. The hackers are literally a step ahead of security teams now and I can't remember a time when I could say this and mean it.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...