Man
Professional
- Messages
- 3,112
- Reaction score
- 678
- Points
- 113
In April of this year, Malwarebytes researcher Jerome Segura discovered malicious advertising in the Bing search engine that impersonated the popular NordVPN service. The attackers redirected users to a fake website that was completely copied from the service's official website.
The goal of the cybercriminals was to trick users into installing the SecTopRAT malware on their devices. It is currently unknown how many attacks were successful.
In this article, we will talk about how scammers use malicious advertising and VPN networks to attack users and advertisers. And whether it is possible to protect yourself from attackers.
Contents
1. A problem for the digital industry
2. Scammers' tactics
3. The dangers of malvertising and VPN fraud
4. VPN problem and IP blocking
5. How to Avoid Being a Victim of Malvertising and VPN Scams
6. Blocking Malicious Traffic from Botfaqtor
In 2020, NordVPN owners already sought to remove a similar fake site from search results, which was used by attackers to distribute the virus. A year later, researchers from Zscaler ThreatLabZ discovered that cybercriminals were using malicious VPN apps disguised as popular providers (NordVPN, Hotspot Shield, and F-secure Freedom VPN) to distribute malware known as Raccoon Steer. The purpose of the malware was to steal information.
According to the researchers' report, over the past year, cybercriminals have changed their tactics, techniques, and procedures (TTPs) to attack VPN users due to the increased number of remote workers and the popularity of traffic anonymization applications.
Malvertising is the practice of conducting malicious attacks by placing digital advertisements that link to a malicious website or application, with the goal of infecting users' devices and using them in further attacks: DDoS, click fraud, data theft, etc.
To do this, attackers do not always place ads - they can also use other technologies to deceive users and advertisers. For example, clickjacking.
The scam with the same NordVPN is not an isolated case related to VPN networks. Attackers continue to use traffic redirection services to place and implement fake advertising, fraudulent advertising campaigns, fake lead generation. The reason is the increased demand of Internet users for programs to maintain anonymity and privacy.
— Infection of the device with Trojans and other viruses
Due to the lack of antiviruses and special programs, users are vulnerable to malicious attacks. Cybercriminals rely on this, so they place ads on search engines with links to fake sites of real services and anonymization programs, through which victims download malware.
Advertisements that pose as VPN services and are distributed through search engines may be designed to infect users with remote access Trojans.
— Hacking devices and stealing data
If a user installs malware on their device, attackers can gain access to their personal and banking data. The main threat to businesses is that fraudsters can use such software to collect data, for example, about online store customers, and then use it in further fraudulent schemes.
Users are also becoming victims of ransomware. According to TechCrunch, even spyware developers are using digital advertising to distribute their spyware.
— Advertising fraud
Fraudsters often use VPN services to hide their fraudulent activity with advertising campaigns. The most obvious reason is geolocation manipulation to hide where visits and clicks actually come from. This makes it difficult to find and identify invalid traffic and increases the damage.
While such cybercriminal activity is predictable, leading search engines may not be keeping up with the trends and techniques of cybercriminals. Or their algorithms may be tuned to more global and widespread cases of fraud.
Take, for example, one of the most recent cases — malvertising with a fake NordVPN website. The scammers intercepted traffic from Bing searches using malvertising and redirected users to a fraudulent clone site. However, the URL of the ad clearly indicates a potential scam: NordVPN is misspelled (nord i vpn[.]xyz), and the site was created just a day before.
While tracking the IP addresses of attackers and blocking them used to be an effective way to prevent cyberattacks, today such blocking is no longer effective. It is worth abandoning this method of protecting advertising or a website for the following reasons:
— With the help of VPN services, scammers easily change their IP addresses
If attackers see that their IP attack point has been blocked, they simply change it to another one. Even if you continue to block them, the scammer will simply continue to change IP.
— Along with malicious traffic, real users can also be blocked
Users are increasingly turning to anonymization and privacy services, which is why they are using VPN services more often. In an attempt to stop one scammer and blocking the VPN IP address, you can accidentally block real potential customers who use the same service.
To avoid becoming a victim of fraud, follow these tips:
— Pay attention to errors in domain names and domain zones
For example, the fact that this is not a real site, but a fraudulent duplicate, can be understood by the domain name. Like the fake NordVPN - nord i vpn[.]xyz. The domain ending - xyz also indicates the dubiousness of the address, while the official site is located in the .com zone.
— Check shortened links
Another element that may indicate fraud is shortened URLs. This makes it difficult to determine the authenticity of the domain. You can check the safety of shortened links and decode them using special online tools. For example, 2IP.
— Look at the age of the domain
The age of the domain can also indicate a scam site. For example, the fake NordVPN URL was created on April 3, 2024, just one day before Segura unveiled the malicious advertising campaign. Also, pay attention to the email in the domain name - as a rule, scammers create boxes on common mail services. Also, be wary if the site does not have contact information at all. Only then decide whether or not to download the application or program.
— Check if there is a secure connection icon.
The quality of the site can also be indicated by the secure connection icon, which means that the site uses a secure https protocol. A lock will be displayed next to the domain name in the browser address bar.
— Download applications only from official marketplaces
Download applications from official marketplaces (AppStore, Google Play). Of course, there is a possibility of downloading an application with malicious content there, however, the chances of installing the original are much higher.
The goal of the cybercriminals was to trick users into installing the SecTopRAT malware on their devices. It is currently unknown how many attacks were successful.
In this article, we will talk about how scammers use malicious advertising and VPN networks to attack users and advertisers. And whether it is possible to protect yourself from attackers.
Contents
1. A problem for the digital industry
2. Scammers' tactics
3. The dangers of malvertising and VPN fraud
4. VPN problem and IP blocking
5. How to Avoid Being a Victim of Malvertising and VPN Scams
6. Blocking Malicious Traffic from Botfaqtor
A problem for the digital industry
The problem of malicious advertising, traffic hiding, click fraud is not new for the digital ecosystem in general and VPN services in particular. Fraudsters easily exploit anonymization services to carry out malicious attacks, since the end justifies the means.In 2020, NordVPN owners already sought to remove a similar fake site from search results, which was used by attackers to distribute the virus. A year later, researchers from Zscaler ThreatLabZ discovered that cybercriminals were using malicious VPN apps disguised as popular providers (NordVPN, Hotspot Shield, and F-secure Freedom VPN) to distribute malware known as Raccoon Steer. The purpose of the malware was to steal information.
According to the researchers' report, over the past year, cybercriminals have changed their tactics, techniques, and procedures (TTPs) to attack VPN users due to the increased number of remote workers and the popularity of traffic anonymization applications.
Scammers' Tactics
Cybercriminals use malicious advertising (also known as malvertising) tactics to infect users' devices and deceive advertisers.Malvertising is the practice of conducting malicious attacks by placing digital advertisements that link to a malicious website or application, with the goal of infecting users' devices and using them in further attacks: DDoS, click fraud, data theft, etc.
To do this, attackers do not always place ads - they can also use other technologies to deceive users and advertisers. For example, clickjacking.
The scam with the same NordVPN is not an isolated case related to VPN networks. Attackers continue to use traffic redirection services to place and implement fake advertising, fraudulent advertising campaigns, fake lead generation. The reason is the increased demand of Internet users for programs to maintain anonymity and privacy.
The Dangers of Malvertising and VPN Fraud
Here's why malvertising and VPN scams are dangerous:— Infection of the device with Trojans and other viruses
Due to the lack of antiviruses and special programs, users are vulnerable to malicious attacks. Cybercriminals rely on this, so they place ads on search engines with links to fake sites of real services and anonymization programs, through which victims download malware.
Advertisements that pose as VPN services and are distributed through search engines may be designed to infect users with remote access Trojans.
— Hacking devices and stealing data
If a user installs malware on their device, attackers can gain access to their personal and banking data. The main threat to businesses is that fraudsters can use such software to collect data, for example, about online store customers, and then use it in further fraudulent schemes.
Users are also becoming victims of ransomware. According to TechCrunch, even spyware developers are using digital advertising to distribute their spyware.
— Advertising fraud
Fraudsters often use VPN services to hide their fraudulent activity with advertising campaigns. The most obvious reason is geolocation manipulation to hide where visits and clicks actually come from. This makes it difficult to find and identify invalid traffic and increases the damage.
While such cybercriminal activity is predictable, leading search engines may not be keeping up with the trends and techniques of cybercriminals. Or their algorithms may be tuned to more global and widespread cases of fraud.
Take, for example, one of the most recent cases — malvertising with a fake NordVPN website. The scammers intercepted traffic from Bing searches using malvertising and redirected users to a fraudulent clone site. However, the URL of the ad clearly indicates a potential scam: NordVPN is misspelled (nord i vpn[.]xyz), and the site was created just a day before.
VPN problem and IP blocking
There are different ways to combat fraud, but not all of them are equally effective. And some have become completely counterproductive. For example, blocking by IP.While tracking the IP addresses of attackers and blocking them used to be an effective way to prevent cyberattacks, today such blocking is no longer effective. It is worth abandoning this method of protecting advertising or a website for the following reasons:
— With the help of VPN services, scammers easily change their IP addresses
If attackers see that their IP attack point has been blocked, they simply change it to another one. Even if you continue to block them, the scammer will simply continue to change IP.
— Along with malicious traffic, real users can also be blocked
Users are increasingly turning to anonymization and privacy services, which is why they are using VPN services more often. In an attempt to stop one scammer and blocking the VPN IP address, you can accidentally block real potential customers who use the same service.
How to Avoid Being a Victim of Malvertising and VPN Scams
Malvertising is a lucrative and effective tool for cybercriminals. As with phishing, new technologies are making it easier and faster to develop fraudulent attacks. All this means that both consumers and businesses need to learn how to navigate this digital world full of malware and traps.To avoid becoming a victim of fraud, follow these tips:
— Pay attention to errors in domain names and domain zones
For example, the fact that this is not a real site, but a fraudulent duplicate, can be understood by the domain name. Like the fake NordVPN - nord i vpn[.]xyz. The domain ending - xyz also indicates the dubiousness of the address, while the official site is located in the .com zone.
— Check shortened links
Another element that may indicate fraud is shortened URLs. This makes it difficult to determine the authenticity of the domain. You can check the safety of shortened links and decode them using special online tools. For example, 2IP.
— Look at the age of the domain
The age of the domain can also indicate a scam site. For example, the fake NordVPN URL was created on April 3, 2024, just one day before Segura unveiled the malicious advertising campaign. Also, pay attention to the email in the domain name - as a rule, scammers create boxes on common mail services. Also, be wary if the site does not have contact information at all. Only then decide whether or not to download the application or program.
— Check if there is a secure connection icon.
The quality of the site can also be indicated by the secure connection icon, which means that the site uses a secure https protocol. A lock will be displayed next to the domain name in the browser address bar.
— Download applications only from official marketplaces
Download applications from official marketplaces (AppStore, Google Play). Of course, there is a possibility of downloading an application with malicious content there, however, the chances of installing the original are much higher.
