Malwarebytes' researcher, Jérôme Segura, recently unveiled a malicious ad campaign impersonating the popular NordVPN on Bing, the Microsoft-owned search engine. Redirecting people to a fake website that looks almost identical to the provider's legit site, cybercriminals sought to trick people into installing the SecTopRAT malware on their devices. It isn't clear how many attacks have been successfully launched.
So-called malvertising is the practice of executing malware attacks through online advertisement—a lucrative activity that has already made its way to AI chatbots. To do so, attackers can either pay for or hack into a display ad campaign. Google is the most abused search engine for malicious search ads, with Microsoft Bing being the second-biggest target "due to its close ties to the Windows ecosystem and Edge browser," wrote Segura.
The latest NordVPN scam is not an isolated case involving a virtual private network app, either. Attackers continue to exploit the best VPN services for fake ads to take advantage of an increased interest in privacy-preserving software among the public. As the stakes have never been higher, I talked with the team at Nord about the danger of malicious VPN ads and how not to fall victim to these online scams.
What's the danger of malvertising?
"Malvertising is neither new nor somehow specific to the VPN industry. Malicious actors will use all popular and reputable brands to stage malware attacks," Laura Tyrylytė, Head of Public Relations at Nord Security, told me.
However, there have been many incidents where cybercriminals have turned to the world of VPNs to launch their attacks. NordVPN, for instance, is a recurring target. In 2020, its VPN security team worked on taking down a similar fake website that was trying to infiltrate a virus via malicious software.
A year later, researchers at Zscaler ThreatLabZ found that cybercriminals used malicious VPN apps masquerading as popular providers like NordVPN, Hotspot Shield, and F-secure Freedom VPN to distribute an infostealer malware known as Raccoon stealer.
"Threat actors have shifted their tactics, techniques, and procedures (TTPs) to target VPN users over the past year, taking advantage of the increase in remote work and the popularity of VPN applications," the report reads.
Short for virtual private network, a VPN is security software that encrypts the data leaving your device while spoofing your IP address. Some providers, like NordVPN, include additional protection like antivirus, anti-malware, and ad-blocker.
If you're looking to download such a security software app, it's likely you don't currently have security protections installed on your machine. This makes you more vulnerable to attacks. Criminals know that. Hence, impersonating a VPN provider's website is a natural choice for malvertisers.
Cybercriminals may want to compromise your device to steal your data, executing ransomware attacks, identity fraud and more. Even spyware makers are using banner ads online to allow governments to conduct surveillance, TechCrunch reported.
Malicious ads on Bing posing as NordVPN infect users with a remote access trojan.Read our investigation into this latest wave of malvertising including indicators of compromise plus tips on how you can stay safe in our blog.https://t.co/ob1HdTmqIxApril 8, 2024
While cybercriminals' actions are somehow predictable, the most popular search engines on the market seemingly cannot keep up with this worrying trend. According to Tyrylytė, that's because the likes of Google and Bing do not allocate sufficient resources to control the advertising of malicious websites and applications.
Take the latest fake ad impersonating NordVPN, for example. The malicious advertiser managed to capture the traffic from Bing searches and redirect users to a cloned scam site. However, the URL in the ad snippet shows clear signs of a potential scam—NordVPN is misspelled and the website was created only a day before.
"[The search engine] is basically allowed to bid on any brand as a keyword without overlooking potentially harmful activities," Tyrylytė told me, adding that search engines should prevent these malicious websites from appearing as ads before causing harm to internet users.
Asked whether the company is worried that such malvertising campaigns can somehow damage Nord reputation as a security firm, Tyrylytė said they are more concerned about the privacy and security of the people falling for these scams. "That's why we put our efforts to educate our users and partners about malvertising attacks," she added.
How not to fall victim of malicious ads
Malvertising is a lucrative and effective playground for cybercriminals, an illicit industry that keeps growing. Like phishing, new technologies have made crafting attacks easier and quicker. All this means we must learn to navigate this infested digital world to avoid drowning in malware.
The good news is that, despite being increasingly more credible, you can always spot a scam. For instance, in the NordVPN fake ad, the provider's website was misspelled as nordivpn[.]xyz. However, the provider uses only https://nordvpn.com/, https://support.nordvpn.com/, or https://nordvpn.org/ as website domains. Looking out for mistakes both in the domain names and endings is then an easy way to verify whether a website is legit.
Another element to be wary of, according to Tyrylytė, is shortened URLs. "We observe links with suspicious elements hidden under a URL shortener, making them harder to distinguish from legitimate websites," she said. You should always check the security of these links with a tool like Link Checker, a manual URL-checking tool that scans websites for different types of malware.
Currently at the top of our best VPN chart, NordVPN comes as an all-inclusive security suite offering everything from malware protection and ad blocking to cyber insurance for identity theft and fraud. Check out our in-depth NordVPN review to know more.
The domain age can reveal a scam website, too. The malicious NordVPN URL, for instance, was created on April 3, 2024, only one day before Segura unveiled the malvertising campaign. They generally have only generic email accounts or no contact details at all, so make sure to check this information as well before pressing the download button.
Tyrylytė also recommends looking for a secure connection sign on your web browser bar. She said: "When the site is secure, a padlock sign will appear next to the URL, or the address will be highlighted green. Next to the poorly encrypted scam websites, you will not find such a sign, and in some cases, you will see a 'Not secure' notice."
As a rule of thumb, you should always download applications from trusted online app stores or, alternatively, directly from the product's official website.
Using an ad-blocker is an easy way around this, too. As the name suggests such a tool blocks pop-ups from displaying in web browsers. At the same time, they also prevent the underlying website from loading the ads in the first place.
Commenting on the NordVPN efforts against malvertising, Tyrylytė said: "We constantly monitor various platforms to catch malicious ads as quickly as possible. Once we notice that the NordVPN brand is used in a malvertising campaign, we immediately report it to Google or Microsoft to take it down. Unfortunately, without the efforts of the platforms themselves, it's not possible to catch all malicious ads within a satisfactory time frame."
