The malware campaign was discovered by Dr. Web detailing how hackers have been using Bolik banking trojan against unsuspected users.
If there’s one reason for the distrust that consumers had in online marketplaces in the old days, it was because of “getting not what you see.” Although Amazon has chimed in to fill in that trust gap, it does not go without saying that black hat hackers have found new ways of scamming users.
It entices users through a very simple scheme. By creating a website that is exactly similar to the NordVPN’s original website, users are tricked into believing that they’re browsing the legitimate site at nord-vpn[.]club. With that, they download a program that is also required in the original’s case, yet, the catch is that with the original program being downloaded, a banking trojan horse called Win32.Bolik.2 comes along as well.
The hacker behind Bolik banker worm is back. This time the malware is distributed via fake sites pretending to be NordVPN, Invoicesoftware360 and Clipoffice.
— Ivan Korolev (@fe7ch) August 19, 2019
An alarming aspect of these kinds of attacks is that very little effort is required on the part of attackers making naive users easy prey. Instead of having to hack the websites of software companies and hijacking download links as they did with VDSC, malicious tools can be put in place on cloned websites.
Moreover, a sense of urgency is created in users by displaying catchy offers which appear to expire soon. The current trojan which happens to be an improved version of its predecessors – Win32.Bolik.1 – has the ability to serve as a keylogger, web injector, and traffic interceptor among other capabilities.
At the time of publishing this article; the cloned site was inaccessible. Perhaps, it is because Doctor Web has notified the hosts on which the malicious sites were being kept and they may have been taken down by now.
How can we protect ourselves amidst such threats?
It is important that whenever a certain site is accessed, its URL is carefully checked to make sure that it is spelled correctly. Moreover, never download executable files from unknown sources, always try to stick with well-known websites that have demonstrated a strong commitment to user security in the past.
This is not only something to look out for in downloadable sources, but hackers have also been known to create clones of sites such as Facebook to steal credentials without the user ever downloading anything so it is important to remain vigilant always.
Last but not least, use VirusTotal to scan malicious links and files for free and stay safe online!