As such, attacks have become more covert. Instead of directly asking the user to download a file or click a link, they attempt to hide the infection as much as possible for a higher success rate. One way to do this is to make a direct copy of a popular website and have everything run “as normal,” albeit with some hidden malware lurking within.

The Case of NordVPN

Recently, we saw an example of this with NordVPN. Scammers managed to replicate NordVPN’s website very faithfully to the point where people could easily mistake it for the real thing.

The scammers then added a download link to a functioning copy of NordVPN. This copy was laced with a banking trojan that silently installed itself when the user downloaded NordVPN. If a user wasn’t careful, they would think they had simply downloaded and installed a legitimate copy of NordVPN, not knowing of the trojan set up to steal their banking details. To make their fake website more genuine-looking, the scammers attached a valid SSL certificate from Let’s Encrypt into the website. This encrypted the website’s communications and made it appear to be more real. There was one aspect the scammers couldn’t hide, however. While the legitimate website for Nord VPN is https://nordvpn.com, the scammer’s URL was nord-vpn(dot)club. This was the only weakness to the attack, which was easy to overlook for people not paying attention to the URL.

How Did the Fake Site Spread?

It’s not documented how the fake website got around the internet. The scammers probably didn’t rely on Google search to give them traffic, as the legitimate Nord VPN would take priority on the search results.

As such, the scammers may have had to directly link their website to users. This includes replying to forum threads with the link, sending it in emails, or perhaps even setting up fake advertisements for it.

How Do You Avoid These Scams?

There’s a lot you can do to avoid being caught by these scams. Thankfully, in Nord VPN’s discussion with Bleeping Computer on the subject, they laid out everything you need to know about these attacks:

NordVPN only sells accounts on its official website. They only sell legitimate NordVPN accounts on their official website: https://nordvpn.com/. NordVPN can also be found in certain retailers’ stores; the list is provided on the NordVPN’s website: https://nordvpn.com/retail/ NordVPN won’t send you to the wrong website. Scammers use websites that look like NordVPN’s to scam Internet users. The core part of NordVPN’s webpage URL will always be https://nordvpn.com/. The only exception to this rule will be for users buying NordVPN in high surveillance countries that block our core website. If you’re not sure whether the website you’re seeing is a legitimate NordVPN website, contact their support team. NordVPN representatives will never ask for your password. If someone posing as a NordVPN representative tries to find out your password, they are scammers. Also, be aware of fake password change emails. You should never disclose your password to anyone. NordVPN won’t use sketchy email addresses. Official NordVPN email ends with “@nordvpn.com” and sometimes “@nordvpnmedia.com” or “@nordvpnbusiness.com.” They do not send emails from addresses like “nordvpn@gmail.com” or “nordvpn@nord.com.” However, hackers can easily fake a legitimate email address. To avoid getting fooled, always check whether the link in an email redirects to a legitimate NordVPN website with a URL starting with https://nordvpn.com/. NordVPN does not make phone calls. NordVPN’s official means of communication are email, the support chat on their website, their official Twitter (@NordVPN), or their official Facebook page: https://www.facebook.com/NordVPN/. Do not trust connections outside of these communication tools.

Faking Out the Fakes

Fake websites can be very convincing if you’re not paying full attention. Thankfully, there are usually telltale hints to tip you off that a website is a clone designed to trick you. Has a fake website or link tricked you (or come close to that) in the past? Tell us your stories below!