New Hacker Gimmick: The Release of Fake Google Chrome Font Pack Can Affect You
Google Chrome users have been cautioned to be on the alert for scammers and hackers prompting them to download a fake Google Chrome font pack update just to trick them into installing malware on their systems.
This scam has apparently been making its rounds since January this year. Proofpoint researchers have discovered this, saying only Chrome users on Windows are potential victims.
Moreover, the researchers also claimed that it only affected users from specific countries and only if they navigated to a compromised website using a specific route, such as search engine results.
If Chrome users come across such websites, the script then makes the website unreadable and prompts them to fix the issue by updating their ‘Chrome font pack.’
The prompt window would say: “The ‘HoeflerText’ font wasn’t found”. With this, there will be a prompt to update the “Chrome Font Pack.” If users clicked on it, it actually installs a malware trojan on your machine.
The technique relies on attackers compromising websites and adding their own scripts to the site’s source code. Meanwhile, these scripts filter out the incoming traffic and load another malicious script only for Chrome users on Windows.
Destroys Web Page Content
This second script will replace HTML tags with “& # 0,” which ruins the site’s content and displays “�” characters all over the page.
Apparently, the scam can infect victims computer with Spora ransomware. This is one of the most active ransomware operations with live infection channels, crypto, and ransom payment service.
To give it legitimacy, the pop-up has Google Chrome’s logo and uses classic button styles. Incredibly, they mirror the official Google Chrome website.
According to some reports, only a very small number of anti-malware apps are detecting this particular attack right now.
This malware was primarily successful due to its ability to fly under the radar. Also, it does not get the recognition as an infection by a variety of security programmes.
Proofpoint says the font update packages that users download via this technique come with the Fleercivet click-fraud malware. This works by navigating to preset URLs and clicking on hidden ads behind the user’s back, earning crooks money.
This same malware was present on underground cybercrime services. There’s one under the name of Simby in early 2015, and Clicool in late 2015 and in 2016.
These ads aim to promote the installation of additional questionable content. This includes web browser toolbars, optimization utilities and other products. Further, when users click on the ads, the adware publisher can generate pay-per-click revenue. Other malicious adware programmes might enter the computer without the user’s knowledge.
Though Chrome doesn’t flag the download as malware, the browser blocks the file with a warning message “this file isn’t downloaded very often”.
This is a standard warning and next time you notice it better skip the download process of the file. The timely reaction could enable you to avoid ransomware infection.
Scammers are Quickly Improving their Techniques to Deceive
Scammers are quickly improving their techniques to deceive users online. Therefore, it always pays to be careful of the sites we visit on the internet, as well as the files we download, and to improve our IT security.