Skip to main content

Fake VPN website delivers malware

(Image credit: Shutterstock)
Audio player loading…

Criminals are cloning the website of popular VPN software to try and trick users into downloading malware.

According to new research, the cybercriminals responsible for breaching and utilizing the website of the free video editor VSDC to distribute malware have begun to create fake websites to accomplish the same goal.

Previously the group hacked legitimate websites to use their download links to spread malware but now they have turned to cloning websites to deliver the Win32.Bolik.2 banking Trojan to the devices of unsuspecting users.

The cybercriminals have created a perfect clone of NordVPN's website to trick users into downloading the Win32.Bolik.2 banking Trojan which was discovered by researchers at Doctor Web.

In addition to being an almost exact copy of the company's website, the cloned website even has a valid SSL certificate issued by the open certificate authority Let's Encrypt. This helps the fake website appear more legitimate while also allowing it to bypass browser security checks.

Cloned websites

In a blog post announcing their discovery, Doctor Web's researchers explained what the Win32.Bolik.2 banking Trojan is capable of after being installed on a user's device, saying:

“The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.”

The cybercriminals behind this malicious campaign are focusing on English-speaking targets and thousands of users have already visited the fake NordVPN website according to the researchers.

Upon visiting the cloned site, users are prompted to download the NordVPN client just as they would be on the legitimate site. To avoid arousing suspicion, the fake site installs the actual VPN client but also leaves the Win32.Bolik.2 banking Trojan on a user's system as well.

As the group's tactics have been successful so far, expect to see other similar cloned sites being utilized to infect user's systems with malware in the future.

  • We've also highlighted the best VPN services of 2019

Via Bleeping Computer

After getting his start at ITProPortal while living in South Korea, Anthony now writes about cybersecurity, web hosting, cloud services, VPNs and software for TechRadar Pro. In addition to writing the news, he also edits and uploads reviews and features and tests numerous VPNs from his home in Houston, Texas. Recently, Anthony has taken a closer look at standing desks, office chairs and all sorts of other work from home essentials. When not working, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.