Your IP: Unknown · Your Status: Protected
Unprotected
Unknown

A scam impersonating NordVPN you need to know about

NordVPN’s security team has been made aware of a scam website that has been impersonating our company in an effort to infect victims with malware. While they work on taking the site down, we’d like to help users stay secure by explaining what’s going on.

Daniel Markuson

Daniel Markuson

Dec 13, 2020 · 6 min read

A scam impersonating NordVPN you need to know about

How the scam works

The scammers have built a replica of our site on the url nord-vpn[.]club (we've inserted the brackets to avoid posting the actual URL). This is not a legitimate URL and we do not use it to conduct business.

The site offers a download of what it claims is our Windows app. In addition to the app, however, users will also be downloading a virus – specifically, the “Win32.Bolik.2 trojan” virus.

“Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.” – These insights are from Dr. Web, the team of anti-virus developers who first reported the scam (thank you for your vigilance!).

This means that the virus can monitor virtually anything you do online and steal your online banking information. Under no circumstances should users download the app from this site or even visit it.

What we’re doing to fight this scam

Our team has already taken a few specific steps to eliminate this scam:

  • We are working to get it taken offline. Unfortunately, we aren’t sure when the site will be taken offline because it doesn’t depend entirely on us. However, we’ve already begun the process. In fact, the initial version has been taken down and our team is now monitoring the situation just in case it pops up again.
  • The site has been blacklisted by our CyberSec feature. NordVPN users who turn on our optional CyberSec feature will be unable to visit the site in question. CyberSec works by blacklisting malicious websites and preventing users from visiting them when users turn it on. Because this change was implemented relatively recently, it may take a few hours for our CyberSec blacklist to be updated globally for all of our users.

If you don't already have NordVPN, you can download the app here to better protect yourself against malicious websites.

Update (September 10th): This site has been taken down and our security team is on the lookout for other versions. However, we can't guarantee that these or other scammers won't try the same attack in the future. Therefore, read on to learn how to identify and protect yourself from these attacks.

How to protect yourself from similar scams

It’s easy to tell if you’re on NordVPN’s legitimate website. Here’s our real url:

NordVPN's real URL

Here’s the fake scam URL:

The fake NordVPN URL

Our blog has tons of advice on how to identify scams so you don’t become a victim. However, here are some specific tips for this case:

  • Always check the URL. Any user who always checks the URL of the website they’re on will be far more likely to see right through this scam. The URL has been carefully selected to resemble ours, but it’s not. The only time we don’t conduct business on a URL based on nordvpn.com is in countries that block our core website. We use other legitimate URLs in those countries so users can download our apps. If you're not sure whether the website you're on is a legitimate NordVPN website, contact our support team.
  • HTTPS ensures a basic level of security, but not legitimacy. HTTP sites are less secure and can often be a telltale sign of a scam. These scammers, however, have HTTPS enabled on their site, which provides a basic level of encryption and can fool victims into a false sense of security. Fortunately, the HTTPS certificate is not the same as the one on NordVPN’s website. You can click on the lock icon next to the URL when browsing our website to inspect our HTTPS certificate. We use an extended validation SSL certificate self-signed by Tefincom S.A. Then, you can compare this to the certificate of any website that claims to represent us but has a questionable URL. They won’t be the same.

What NordVPN representatives WON'T do:

  1. NordVPN representatives will never ask for your password.
  2. If someone posing as a NordVPN representative tries to find out your password, they are probably scammers. You should never disclose it to anyone. Also, be aware of fake password change emails. This is a more advanced type of scamming that makes you change your password on a malicious website (usually designed to look like our website). The scammer operating the website sees your password and uses it for their purposes.

    You can use your email to log into your account on NordVPN’s website to do the following:

    • get special deals and offers;
    • change your password;
    • change your payment method;
    • update your credit card info;
    • cancel your auto-payment;
    • extend your (manual) subscription.

    At this point, it would also be smart to familiarize yourself with other common scams so you can stay safe.

  3. NordVPN won't send you to the wrong website.
  4. Scammers use websites that look like NordVPN’s to scam our users.

    The core part of NordVPN’s webpage URL will always be https://nordvpn.com/.

    The only exception to this rule will be for users buying NordVPN in countries that block our core website. Users in those countries may be provided with other legitimate URLs where they can purchase official NordVPN subscriptions. If you're not sure whether the website you're seeing is a legitimate NordVPN website, contact our support team.

  5. NordVPN does not make phone calls.
  6. NordVPN’s official means of communication are email, the support chat on our website, our official Twitter (@NordVPN), or our official Facebook page. NordVPN does not call people by phone and our representatives do not use private social media accounts to contact users. Do not trust connections outside of these communication tools.

  7. NordVPN won't use sketchy email addresses.
  8. NordVPN official email ends with @nordvpn.com and sometimes @nordvpnmedia.com or @nordvpnbusiness.com. We do not send emails from addresses like nordvpn@gmail.com or nordvpn@nord.com.

    Moreover, faking a legitimate address is easy, too. Hackers can use readily available online tools like http://deadfake.com/ or http://anonymailer.net. More sophisticated scammers can fake an address by using Unix or PHP command lines. Below is an example of a fake NordVPN email I created with Anonymailer. As you see, Gmail service warns you that the email is suspicious, and so will most other dependable email providers. Always look for similar warning signs and ignore emails if they trip these warnings.

    email warning signs

    The look of the email can also be easily faked by using various photo editing tools. As a result, you might get an email that looks totally legit to the naked eye. To avoid gettings fooled, always check whether the link in an email redirects to a legitimate NordVPN website with a URL starting with https://nordvpn.com/. Do not trust any other suspicious links, even if they might look very similar to a legitimate one.

    Take a look at another couple of examples. In the first one, we see a dodgy email address never used by NordVPN employees. It is an obvious scam email.

    Nordvpn scam email

    Here is a legitimate email. You might get this one if you forgot your password:

    Nordvpn legit email

    Wonder where scammers got your email from? It's easy for scammers to get your email address from any one of the hundreds of massive breaches that happen every year. You can check whether your email has been leaked here.

How to contact an official NordVPN representative:

How to make sure your NordVPN app is legit

  • Download it from your app store. If you simply search for “NordVPN” on your device’s app store, the first result is likely to be ours. This isn’t a perfect rule, as the Android and iOS app stores do have fake versions of our apps. However, our team regularly checks them for fakes and reports them. Our legitimate app will also have more downloads and reviews than any of these fake apps. This does not apply for the Windows or Linux apps, which are not offered on their regular app stores.
  • NordVPN app store
  • Download it from our website. This goes back to the “check the URL” rule. If you download a side-loaded version of the app or one for a platform whose app store we don’t use, make sure it’s from us. You can find our legitimate downloads here. Just keep in mind that there are lots of stolen NordVPN subscriptions or their trial versions being sold by third-parties on Ebay and other sites. The prices, lower than NordVPN’s already affordable rates, are too good to be true: even the best VPN prices aren't as low as these. If you buy a stolen account, you don’t actually own it, so you can easily be defrauded and there’s nothing you can do about it. Read about it more in-depth here.
  • Contact our support team via email. Users in restrictive countries may not be able to access our core website or their app stores. We offer many ways to contact support, but if you’re in doubt about whether the website you’re looking at is legit, your best bet is to contact us by email at support@nordvpn.com. They can provide you with a legitimate copy of the app of your choice or help you with checking the digital signature for any NordVPN apps you’ve downloaded.