How Lockdown Has Made a Way For VPN Hackers

  • NordVPN claimed that the usage of their services increased by 165% globally.
  • Adversaries fake apps’ reviews to rank their apps so that they can get maximum downloads.

It is indeed true that the world will not be the same place post-pandemic. A novel virus that has kept us contained in our homes has gravely impacted the global business marketplace and shattered the world economy.

Meanwhile, organizations are trying to stay afloat in these times by asking their employees to work online from their homes and stays. This change has opened up an opportunity for hackers to cash in.

But why are cybercriminals after VPNs?

The global lockdown due to the COVID-19 outbreak has compelled individuals and businesses to use VPNs in large numbers around the world to shield your browsing activity from prying eyes on public/ private Wi-Fi connections. A VPN is also required when someone is trying to access geo-restricted sites. In many countries, the VPNs usage figures have rocketed.

  • Within just a week (March 9-15), VPN usage in Italy increased by 112%, 38% in Iran, and 36% in Spain in comparison to the previous week.
  • In the North American continent, there was a surge of 24%, 26%, and 18% in Canada, USA, and Mexico, in a month of Coronavirus spread.
  • NordVPN claimed that the usage of their services increased by 165% globally.

Fake VPNs

Researchers have discovered that hackers groups are manipulating users into downloading and installing malware by posing as a legitimate VPN client. Moreover, some of the VPNs are simply a scam available on the Chrome store, android play store, or at other places.

Here we discuss different types of VPN baits.

Fake Nord VPN site


Domain: nordfreevpn[.]com

When a user attempts to install a VPN client from this site, the user ends up installing Grand Stealer malware.

Capabilities: Stealing various user credentials and cryptocurrency wallets, browser profiles (credentials, cookies, credit cards, autofill), Gecko credentials, Screenshots, FTP credentials, RDP credentials, Telegram sessions, Discord software data, Desktop files.

Fake VPN4Test site


Domain: vpn4test[.]net

Installing a VPN client from this site can load users’ systems with Azorult infostealer instead. The malware first generates a bot ID to uniquely identify the host machine and then communicate with its C2 server.

Capabilities: Harvests saved passwords, browser login credentials, cookies, history, chat sessions, screenshots, cryptocurrency wallet, etc. Additionally, it may download additional malware onto the infected system.

But, Azorult also downloads and executes two additional pieces of malware -- Masad stealer and Parasite RAT.

Fake VPN reviews

The bigger you get the complex it gets. Google’s Play Store and Apple’s iOS App Store are the top two stores that many of us enjoy using. But hackers, on the other hand, enjoy exploiting it. It true especially for the Android platform, which obviously has the maximum number of users around the world.

  • Adversaries spread fake app reviews to rank their apps so that they can get maximum downloads.
  • They also manipulate the App Store and Play Store algorithms to propagate their apps.

Last week, Google kicked out an Android VPN app ‘SuperVPN’—downloaded over 100 million times—with critical vulnerability that posed a man in the middle (MITM) attack threat for the users.

Bottom line

Once you download a VPN, it becomes in-charge of your incoming and outgoing data. So, one has to be very careful with what are they downloading and from where. Also, if you’re looking for zero-cost VPN services, do your research for how worth it is to download a free VPN.

This crisis might make malicious actors more aggressive than before with a plethora of unsecured endpoints waiting for them.