Beware the fake NordVPN URL that delivers a trojan

NordVPN app on a smartphone screen

Cloned websites are a common way for hackers to trick innocent internet users into downloading malicious software. It is a common tactic and it is perhaps surprising that up until now, no VPN website (that we are aware of) has been targeted.

We say until now because Doctor Web researchers have revealed that a group of known hackers has tried pull exactly this trick on unsuspecting NordVPN customers.

The fake NordVPN[.]club domain

NordVPN is one of the most secure and reliable VPNs on the market so we would have been surprised if their official website had been compromised to this extent. But as it transpires, the hackers have instead set up a fake website using the URL nord-vpn[.]club.

NordVPN has since confirmed that this URL is absolutely nothing to do with them. But you wouldn’t know it if you visited (which we would strongly advise against).

The site is a carbon copy of the official NordVPN website. It even has a valid SSL certificate, which means it uses HTTPS encryption, although this was issued by open certificate authority Let’s Encrypt and we would expect premium VPNs to use something far more robust.

If you try to download a NordVPN app from this URL (again, please don’t) the NordVPN client will download onto your device. But so too will a particularly nasty trojan known as the Win32.Bolik.2 trojan.

The Win32.Bolik.2 trojan is an updated version of the Win32.Bolik.1 trojan which was first seen when the website of free multimedia editor VSDC was breached earlier this year.

That breach is now fixed but the trojan is back and, according to the researchers who spotted it, it is even more nasty than before.

What the trojan can do

Ivan Korolev, the Doctor Web malware analyst who worked on the fake NordVPN site told Bleeping Computer that the Win32.Bolik.2 trojan has qualities of a multicomponent polymorphic file virus.

“Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems,” he explained.

His analysis suggests that it is primarily targeting English-speaking users in places like the UK, USA, Canada, and Australia. But he believes the hacker behind the trojan was able to make exceptions if the victim was believed to be valuable.

The fake site also only appears to offer a version of the NordVPN Windows app which means that users of other devices are probably ok.

They also believe the attack first went live on August 8th. That means the fake NordVPN domain has been live for almost two weeks. It is therefore conceivable that hundreds or even thousands of people could have been duped into downloading this malware.

What is NordVPN doing about it?

Responding to news of the fake site, NordVPN’s Head of Public Relations Laura Tyrell said in a statement, “Online scammers love to pretend to be trusted companies when trying to fool their victims.”

Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well,” she added. “They do this to steal users’ money or infect their PCs with malware.”

The truth is that there isn’t a huge amount that NordVPN can do about a fake version of their site. In this instance, they have started the process to have the fake site taken down. But by their own admittance, they cannot put a timeframe on how long that might take.

They have also blacklisted the site on their CyberSec feature which means existing NordVPN customers who have that feature enabled will be unable to visit the fake domain.

They stress that all NordVPN users and prospective customers should use their official website URL and only their official one. They also recommend that users only download the NordVPN app from this URL or their usual app store.

Even in app stores, they recommend vigilance though, stating that fake versions of the NordVPN app have been seen in both the Android and iOS app store.

NordVPN suggests that you can check the SSL certificate of a domain if you are not sure if it is legit. They use an extended validation SSL certificate self-signed by Tefincom S.A. on their official .com domain. Compare another domain to that one and if they don’t match, that site is dodgy.

Lastly, if you are in any doubt, always contact NordVPN customer support for advice. They are available around the clock and are always willing to help with any queries you may have.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *