Fake VPN Website Delivers Banking Trojan

Account Takeover , Cybercrime , Fraud Management & Cybercrime

Reseachers Discover Attackers Cloned NordVPN Site

Fake VPN Website Delivers Banking Trojan

Security researchers have uncovered a fake website for a VPN provider that’s designed to spread a banking Trojan that can steal credentials to bank accounts.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

Reseachers at the Russian security firm Doctor Web say the banking Trojan, which they call Win32.Bolik.2, is a modified version of the original Win32.Bolik.1 Trojan and is being spread by the same unknown hacker group.

“The Win32.Bolik.2 Trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus,” the researchers write. “Using this malware, hackers can perform web injections, traffic intercepts, key-logging and steal information from different bank client systems.”

The new campaign, which started on Aug. 8, is targeting mainly English-speaking victims by using a cloned website of NordVPN that prompts its visitors to download a program for a particular type of VPN software that contains the Trojan, Doctor Web reports. To make the fake website seem authentic, the fraudsters use a valid Secure Sockets Layer certificate that ensures a secure connection between a web server and a browser.

Another campaign in April using the same Trojan spread via the legitimate website for a video editing software package.

Although Doctor Web has not yet detected any data theft tied to the latest campaign, the company notes that the fake NordVPN website has been visited by thousands of users over the past several weeks.

Fake NordVPN website (Image: Doctor Web)

NordVPN is a widely used network security vendor for popular operating systems such as Microsoft Windows and Apple’s macOS. It has close to 12 million users across the world, according to company’s official website.

Cloned Website

In creating the fake website, the attackers used a similar URL and copied the design of the original NordVPN website to make it appear genuine, according to the security firm.

A spokesperson for NordVPN tells Bleeping Computer that the company only sells its product through its https://nordvpn.com/ website and not through any other portals.

“The core part of NordVPN’s webpage URL will always be https://nordvpn.com/,” says spokesperson Laura Tyrell. “The only exception to this rule will be for users buying NordVPN in high surveillance countries that block our core website. If you’re not sure whether the website you’re seeing is a legitimate NordVPN website, contact our support team.”

Capabilities of Bolik

The Doctor Web researchers found that Bolik 2 is a revised version of Bolik 1, with new capabilities to infect computer files and steal credentials.

In April, Doctor Web researchers reported that the Bolik 2 malware strain used the legitimate website for VSDC, a popular video editing software package, by replacing the link to download the software with JavaScript files, which then downloaded malware onto the victim’s systems.

The attackers used the malware to steal data from browsers, Microsoft accounts and other programs. While the malware campaign only lasted a day, it managed to affected 83 users, the security firm stated in a previous report .

Once the malicious campaign on the VSDC website was discovered, the attackers switched tactics and went looking for another website to clone, according to the researchers.

Rise in Banking Trojans

There has been a rise in attackers’ use of banking Trojans, with threat actors diversifying their tactics for stealing credentials and grabbing money extraction from bank accounts.

According to a March report by Kaspersky Lab, more than 889,000 users were attacked by banking Trojans in 2018, up nearly 16 percent from 2017. Nearly a quarter of these attacks targeted corporate users, according to Kaspersky, which notes that most attacks targeted Russia, Germany, India, Vietnam, Italy, the U.S. and China.