Security researchers have identified a fake version of the ProtonVPN website which has been set up by hackers to spread a dangerous multi-purpose trojan. Evidence suggests that in this scam, the trojan is being used to steal cryptocurrency from infected devices.
The findings have been reported by the Russian security company Kaspersky. Kaspersky has endured some credibility issues of its in recent times, not least Kaspersky VPN being the only major VPN to comply with Russian state censorship demands.
But it’s online security operation is still active and this latest scam shows that it is still a key source for unravelling hacking operations that originate inside Russia.
This particular scam relates to a fake version of the ProtonVPN website. This website is indistinguishable from the real ProtonVPN website but has a different domain name.
The hackers have been spreading this website through online adverts that redirect users to the fake site. This is a type of scam that has become known in recent times as ‘malvertising’.
When users visit this fake site, they are prompted to download a free VPN installer. But when they download this file onto a Windows device, they are also downloading a trojan known as AZORult.
According to Kaspersky, AZORult is one of the most common trojan stealers to be found on Russian hacking forums. Its popularity is down to its incredible capacity.
AZORult is capable of stealing a huge amount of data including browser history, login credentials, cookies, files and folders, and crypto-wallet files. It can also be used as an installer to download other malware onto the device too.
What have these hackers been targeting?
With the fake ProtonVPN site, once it is downloaded AZORult will quickly copy environment information from its host device and send this back to a server controlled by the hackers.
In most cases, the hackers are believed to have used this information to steal cryptocurrency stored locally in crypto-wallets on infected devices.
However, there is also some evidence that they have also been accessing things like email credentials, browser information including cookies and administrative information such as FTP logins and passwords from FileZilla.
Having discovered the fake site and trojan, Kaspersky’s researchers notified ProtonVPN immediately and also blocked access to the fake domain name on all their security tools. Having gone public with this information, it is believed that other security software providers have followed suit.
We have not shared the fake URL in this article for obvious reasons but have linked to the official ProtonVPN site. ProtonVPN themselves have also taken a number of steps to address the issue.
In a statement given to TechRadar, the CEO and Founder of ProtonVPN, Andy Yen said, “In this case, it appears the fake app was designed to steal users information, specifically data regarding cryptocurrencies. Kaspersky blocked the fake website and informed us of the issue as soon as they discovered the malware.”
ProtonVPN has also issued a request for the fake domain to be taken down. At the time of writing, we believe this request is still being processed.
If you think you may have fallen victim to this hack, our best advice is to contact the ProtonVPN support staff immediately and they will be able to advise you on the best course of action. They have also published an online guide you can read here which contains further recommended advice.
The gist of this guide is to avoid downloading fake ProtonVPN and ProtonMail apps from your local app store. It doesn’t specifically address the issue of fake websites such as this one.
However, the guide does contain some useful advice on removing fake apps which is well worth a read.
Never download from unverified sources
The main lesson for readers from this particular scam is the importance of only ever downloading VPN apps from verifiable sources.
The growing popularity of VPNs around the world mean that they are an increasingly popular target for hackers. Scams like this are simple and affordable to set up and the returns for hackers can be large.
As Andy Yen emphasised in his statement, “This [case] underlines the importance of never downloading an app from an unofficial source. Before downloading an app, users should always double-check the website address, the app name and the app developer to make sure it’s genuine.
When downloading a VPN app, you should always do so from either the official website of your VPN provider or from your official app store. Alternatively, you can use the links on our website, which are all legitimate and secure.
If you have any doubts about an app in your local app store, don’t take the risk. Check with your VPN provider before downloading.
This advice applies to all VPN providers, not just ProtonVPN. Any VPN can be targeted in this way and any website can be copied onto a fake domain name. Such a scam is not a reflection on ProtonVPN or any other provider. Instead, it should send out a warning to all VPN users.