You’d think that downloading software from legitimate sites would keep you safe from accidentally downloading malware. That said, you’ll have to be very sure that you’re at the correct website. This is especially so now that cyber criminals are making perfect clones of said legit sites. A clone of NordVPN’s site was discovered to be spreading the Win32.Bolik.2 banking Trojan.
Researchers from Dr.Web discovered that the cloned website was so perfect that it even came with a valid SSL certificate. This means your browser won’t immediately try to lock you out of the site to keep you safe. The researchers also say that thousands of users have already visited the fake NordVPN site.
Upon landing on the fake site, users are prompted to download NordVPN just like the actual site. To keep up the pretense of legitimacy, the clone installs the real NordVPN client, but bundles the Trojan as part of the download. The Trojan itself can allow hackers to perform web injections, traffic intercepts and keylogging, among other choice methods of stealing your banking information.
Considering the cyber criminals got thousands of people to visit the fake site, it looks like a fairly effective tactic of duping unsuspecting users. With that in mind, chances are the hackers will clone more sites in the future. The same bunch has previously hijacked the download link of a legitimate video editing software website.