Criminals deliver malware via fake NordVPN website

News by Rene Millman

Security researchers have warned of a new malware campaign that spreads a banking trojan by using fake websites of popular software. Hackers fool users with valid SSL certificate

Hackers are distributing the Win32.Bolik.2 banking Trojan by fooling users with a fake version of the NordVPN website according to a blog post by Dr. Web.  As with the original, it prompts users to download a program for using the VPN; but apart from the program itself, the fake authors distribute a dangerous banking trojan.

The fake website has the same design as the original but also sports a valid SSL certificate. Researchers said that the fake website was primarily targeted at English-speaking audiences and was launched on 8 August 2019.

"However, at the time this news was released, the malicious fake NordVPN website already had thousands of visits," said researchers.

They added that at the end of June this year, the same hacker group copied websites of office programs: invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com) and clipoffice[.]xyz (the original is crystaloffice[.]com), where the Win32.Bolik.2 trojan was distributed together with Trojan.PWS.Stealer.26645 malware.

Researchers said that the Bolik trojan has improved on a previous version and has the qualities of a multicomponent polymorphic file virus.

"Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems," said researchers.

Earlier this year Dr. Web researchers reported another malware campaign from the same hacker group in which they distributed Win32.Bolik.2 through a hacked video editing software website.

Tim Callan, senior fellow at Sectigo, told SC Media UK that when  completing any online transaction or engaging with email, look for the full company name at the left of the address bar to ensure the site is really part of the intended online business.

As for the trojan having an SSL already, the solution for businesses to ensure their customers do not fall victim to this type of attack lies specifically with Extended Validation SSL certificates, not just any of the other types.

The presence of EV influences consumers’ perception of a brand or company," Callan. "EV certificates are reliably authenticated using techniques that have proven effective through a decade of industry-wide use. EV is a powerful tool to protect consumers from phishing and communicates that an online business has elected to use premium security practices."

Paul Ducklin, senior technologist, Sophos, told SC Media UK that in the early days of phishing you could rely on really obvious telltales - bad spelling, poor web design, no HTTPS certificates and lots of other mistakes.

"Today, many crooks take more time over the details - so why don’t you? Don’t be in a hurry! Find your own way to websites instead of blindly following links, especially if you’re looking for software to download. Use an anti-virus that does web filtering as well as malware scanning. And watch out for emails that you didn’t want for offers that are to good to be true. When it comes to web security, a little patience goes a long way," he said.

In response to this article NordVPN sent an official statement to SC Media UK alerting users what it does and does not do, saying: "Online scammers love to pretend to be trusted companies when trying to fool their victims. Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well. They do this to steal users’ money or infect their PCs with malware.
 
"Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.

"What NordVPN won’t do:

"NordVPN only sells accounts on its official website. We only sell legitimate NordVPN accounts on our official website: https://nordvpn.com/. NordVPN can also be found in certain retailers' stores, the list is provided on the NordVPN’s website: https://nordvpn.com/retail/.

"NordVPN won't send you to the wrong website. Scammers use websites that look like NordVPN’s to scam internet users. The core part of NordVPN’s webpage URL will always be https://nordvpn.com/. The only exception to this rule will be for users buying NordVPN in high surveillance countries that block our core website. If you're not sure whether the website you're seeing is a legitimate NordVPN website, contact our support team.

"NordVPN representatives will never ask for your password. If someone posing as a NordVPN representative tries to find out your password, they are scammers. Also, be aware of fake password change emails. You should never disclose your password to anyone.

"NordVPN won't use sketchy email addresses. NordVPN official email ends with @nordvpn.com and sometimes @nordvpnmedia.com or @nordvpnbusiness.com. We do not send emails from addresses like nordvpn@gmail.com or nordvpn@nord.com. However, hackers can easily fake a legitimate email address. To avoid gettings fooled, always check whether the link in an email redirects to a legitimate NordVPN website with a URL starting with https://nordvpn.com/.

"NordVPN does not make phone calls. NordVPN’s official means of communication are email, the support chat on our website, our official Twitter (@NordVPN), or our official Facebook page: https://www.facebook.com/NordVPN/. Do not trust connections outside of these communication tools."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews