Hackers cloned NordVPN website to drop banking trojan

The malware campaign was discovered by Dr. Web detailing how hackers have been using Bolik banking trojan against unsuspected users.

The malware campaign was discovered by Dr. Web detailing how hackers have been using Bolik banking trojan against unsuspected users.

If there’s one reason for the distrust that consumers had in online marketplaces in the old days, it was because of “getting not what you see.” Although Amazon has chimed in to fill in that trust gap, it does not go without saying that black hat hackers have found new ways of scamming users.

In the latest, it has been discovered by Doctor Web that hackers have been spreading malicious programs resembling legitimate software with one of them being NordVPN.

It entices users through a very simple scheme. By creating a website that is exactly similar to the NordVPN’s original website, users are tricked into believing that they’re browsing the legitimate site at nord-vpnclub. With that, they download a program that is also required in the original’s case, yet, the catch is that with the original program being downloaded, a banking trojan horse called Win32.Bolik.2 comes along as well.

See: Top 10 VPN Services For 2019

Fake NordVPN website (left) – Original NordVPN website ( right) – Open in new tab to enlarge this image.

An alarming aspect of these kinds of attacks is that very little effort is required on the part of attackers making naive users easy prey. Instead of having to hack the websites of software companies and hijacking download links as they did with VDSC, malicious tools can be put in place on cloned websites.

Moreover, a sense of urgency is created in users by displaying catchy offers which appear to expire soon. The current trojan which happens to be an improved version of its predecessors – Win32.Bolik.1 – has the ability to serve as a keylogger, web injector, and traffic interceptor among other capabilities.

See: It’s Google.com, not ɢoogle.com

At the time of publishing this article; the cloned site was inaccessible. Perhaps, it is because Doctor Web has notified the hosts on which the malicious sites were being kept and they may have been taken down by now.

How can we protect ourselves amidst such threats?

It is important that whenever a certain site is accessed, its URL is carefully checked to make sure that it is spelled correctly. Moreover, never download executable files from unknown sources, always try to stick with well-known websites that have demonstrated a strong commitment to user security in the past.

This is not only something to look out for in downloadable sources, but hackers have also been known to create clones of sites such as Facebook to steal credentials without the user ever downloading anything so it is important to remain vigilant always.

Last but not least, use VirusTotal to scan malicious links and files for free and stay safe online!

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts