Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

Fake VPN Website Delivers Banking Trojan

Reseachers Discover Attackers Cloned NordVPN Site
Fake VPN Website Delivers Banking Trojan

Security researchers have uncovered a fake website for a VPN provider that’s designed to spread a banking Trojan that can steal credentials to bank accounts.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Reseachers at the Russian security firm Doctor Web say the banking Trojan, which they call Win32.Bolik.2, is a modified version of the original Win32.Bolik.1 Trojan and is being spread by the same unknown hacker group.

"The Win32.Bolik.2 Trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus," the researchers write. "Using this malware, hackers can perform web injections, traffic intercepts, key-logging and steal information from different bank client systems."

The new campaign, which started on Aug. 8, is targeting mainly English-speaking victims by using a cloned website of NordVPN that prompts its visitors to download a program for a particular type of VPN software that contains the Trojan, Doctor Web reports. To make the fake website seem authentic, the fraudsters use a valid Secure Sockets Layer certificate that ensures a secure connection between a web server and a browser.

Another campaign in April using the same Trojan spread via the legitimate website for a video editing software package.

Although Doctor Web has not yet detected any data theft tied to the latest campaign, the company notes that the fake NordVPN website has been visited by thousands of users over the past several weeks.

Fake NordVPN website (Image: Doctor Web)

NordVPN is a widely used network security vendor for popular operating systems such as Microsoft Windows and Apple's macOS. It has close to 12 million users across the world, according to company's official website.

Cloned Website

In creating the fake website, the attackers used a similar URL and copied the design of the original NordVPN website to make it appear genuine, according to the security firm.

A spokesperson for NordVPN tells Bleeping Computer that the company only sells its product through its https://nordvpn.com/ website and not through any other portals.

"The core part of NordVPN's webpage URL will always be https://nordvpn.com/," says spokesperson Laura Tyrell. "The only exception to this rule will be for users buying NordVPN in high surveillance countries that block our core website. If you're not sure whether the website you're seeing is a legitimate NordVPN website, contact our support team."

Capabilities of Bolik

The Doctor Web researchers found that Bolik 2 is a revised version of Bolik 1, with new capabilities to infect computer files and steal credentials.

In April, Doctor Web researchers reported that the Bolik 2 malware strain used the legitimate website for VSDC, a popular video editing software package, by replacing the link to download the software with JavaScript files, which then downloaded malware onto the victim's systems.

The attackers used the malware to steal data from browsers, Microsoft accounts and other programs. While the malware campaign only lasted a day, it managed to affected 83 users, the security firm stated in a previous report .

Once the malicious campaign on the VSDC website was discovered, the attackers switched tactics and went looking for another website to clone, according to the researchers.

Rise in Banking Trojans

There has been a rise in attackers’ use of banking Trojans, with threat actors diversifying their tactics for stealing credentials and grabbing money extraction from bank accounts.

According to a March report by Kaspersky Lab, more than 889,000 users were attacked by banking Trojans in 2018, up nearly 16 percent from 2017. Nearly a quarter of these attacks targeted corporate users, according to Kaspersky, which notes that most attacks targeted Russia, Germany, India, Vietnam, Italy, the U.S. and China.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.