Footprint of Fake NordVPN Sites | WhoisXML API

Threat reports

Uncovering a Large Footprint of Fake NordVPN Sites

NordVPN isn’t new to being the target of various scammers. Over the years, we’ve seen malicious campaigns that start with luring users to a fake NordVPN site.1, 2

Anyone looking to subscribe to a VPN service could easily land on a fake site and get a malware infection.

WhoisXML API threat researcher Dancho Danchev looked at the underlying infrastructure of NordVPN scammers starting with four domains identified as indicators of compromise (IoCs). His investigation uncovered:

  • At least eight unredacted email addresses used to register the domains identified as IoCs via their historical WHOIS records
  • 10,650+ possibly connected domains as they shared the IoCs’ registrant email addresses

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://nordvpn.com/blog/nordvpn-fake-site-scam/
  • [2] https://www.bleepingcomputer.com/news/security/hackers-use-fake-nordvpn-website-to-deliver-banking-trojan/
Try our WhoisXML API for free
Get started