NordVPN’s security team has been made aware of a scam website that has been impersonating our company in an effort to infect victims with malware. While they work on taking the site down, we’d like to help users stay secure by explaining what’s going on.
Dec 13, 2020 · 6 min read
The scammers have built a replica of our site on the url nord-vpn[.]club (we've inserted the brackets to avoid posting the actual URL). This is not a legitimate URL and we do not use it to conduct business.
The site offers a download of what it claims is our Windows app. In addition to the app, however, users will also be downloading a virus – specifically, the “Win32.Bolik.2 trojan” virus.
“Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.” – These insights are from Dr. Web, the team of anti-virus developers who first reported the scam (thank you for your vigilance!).
This means that the virus can monitor virtually anything you do online and steal your online banking information. Under no circumstances should users download the app from this site or even visit it.
Our team has already taken a few specific steps to eliminate this scam:
If you don't already have NordVPN, you can download the app here to better protect yourself against malicious websites.
Update (September 10th): This site has been taken down and our security team is on the lookout for other versions. However, we can't guarantee that these or other scammers won't try the same attack in the future. Therefore, read on to learn how to identify and protect yourself from these attacks.
It’s easy to tell if you’re on NordVPN’s legitimate website. Here’s our real url:
Here’s the fake scam URL:
Our blog has tons of advice on how to identify scams so you don’t become a victim. However, here are some specific tips for this case:
If someone posing as a NordVPN representative tries to find out your password, they are probably scammers. You should never disclose it to anyone. Also, be aware of fake password change emails. This is a more advanced type of scamming that makes you change your password on a malicious website (usually designed to look like our website). The scammer operating the website sees your password and uses it for their purposes.
You can use your email to log into your account on NordVPN’s website to do the following:
At this point, it would also be smart to familiarize yourself with other common scams so you can stay safe.
Scammers use websites that look like NordVPN’s to scam our users.
The core part of NordVPN’s webpage URL will always be https://nordvpn.com/.
The only exception to this rule will be for users buying NordVPN in countries that block our core website. Users in those countries may be provided with other legitimate URLs where they can purchase official NordVPN subscriptions. If you're not sure whether the website you're seeing is a legitimate NordVPN website, contact our support team.
NordVPN’s official means of communication are email, the support chat on our website, our official Twitter (@NordVPN), or our official Facebook page. NordVPN does not call people by phone and our representatives do not use private social media accounts to contact users. Do not trust connections outside of these communication tools.
NordVPN official email ends with @nordvpn.com and sometimes @nordvpnmedia.com or @nordvpnbusiness.com. We do not send emails from addresses like email@example.com or firstname.lastname@example.org.
Moreover, faking a legitimate address is easy, too. Hackers can use readily available online tools like http://deadfake.com/ or http://anonymailer.net. More sophisticated scammers can fake an address by using Unix or PHP command lines. Below is an example of a fake NordVPN email I created with Anonymailer. As you see, Gmail service warns you that the email is suspicious, and so will most other dependable email providers. Always look for similar warning signs and ignore emails if they trip these warnings.
The look of the email can also be easily faked by using various photo editing tools. As a result, you might get an email that looks totally legit to the naked eye. To avoid gettings fooled, always check whether the link in an email redirects to a legitimate NordVPN website with a URL starting with https://nordvpn.com/. Do not trust any other suspicious links, even if they might look very similar to a legitimate one.
Take a look at another couple of examples. In the first one, we see a dodgy email address never used by NordVPN employees. It is an obvious scam email.
Here is a legitimate email. You might get this one if you forgot your password:
Wonder where scammers got your email from? It's easy for scammers to get your email address from any one of the hundreds of massive breaches that happen every year. You can check whether your email has been leaked here.
Want to read more like this?
Get the latest news and tips from NordVPN.