Google Chrome users have been cautioned to be on the alert for scammers and hackers prompting them to download a fake Google Chrome font pack update just to trick them into installing malware on their systems.
This scam has apparently been making its rounds since January this year and was discovered by Proofpoint researchers, who say only Chrome users on Windows are targeted.
The researchers also claimed that it only affected users from specific countries and only if they navigated to a compromised website using a specific route, such as search engine results.
If Chrome users come across such websites, the script makes the website unreadable and prompts them to fix the issue by updating their ‘Chrome font pack.’
‘HoeflerText’ Font Wasn’t Found
The prompt window would say: “The ‘HoeflerText’ font wasn’t found” and you’re then asked to update the “Chrome Font Pack.” If clicked, it actually installs a malware trojan on your machine.
The technique relies on attackers compromising websites and adding their own scripts to the site’s source code. These scripts filter out the incoming traffic and load another malicious script only for Chrome users on Windows.
Destroys Web Page Content
This second script will replace HTML tags with “& # 0,” which ruins the site’s content and displays “�” characters all over the page.
Apparently, the scam can also be used to infect victims computer with Spora ransomware, which is one of the most well-run ransomware operations with active infection channels, advanced crypto, and an advanced ransom payment service.
To give it legitimacy, the pop-up is marked with Google Chrome’s logo and uses classic button styles, as seen on the official Google Chrome website.
According to some reports, only a very small number of anti-malware apps are detecting this particular attack right now.
This malware was primarily seen so much success due to its ability to fly under the radar, as it does not get flagged as an infection by a variety of security programmes.
Proofpoint says the font update packages that users download via this technique are infected with the Fleercivet click-fraud malware, which works by navigating to preset URLs and clicking on hidden ads behind the user’s back, earning crooks money.
This same malware was advertised on underground cybercrime services under the name of Simby in early 2015, and Clicool in late 2015 and in 2016.
These ads are aimed to promote the installation of additional questionable content including web browser toolbars, optimization utilities and other products, all so the adware publisher can generate pay-per-click revenue. Other unwanted adware programmes might get installed without the user’s knowledge.
Though Chrome doesn’t flag the download as malware, the browser blocks the file with a warning message “this file isn’t downloaded very often”.
This is a standard warning and next time you notice it better skip the download process of the file. The timely reaction could save your computer from ransomware infection.
Scammers are Quickly Improving their Techniques to Deceive
While scammers are quickly improving their techniques to deceive users online, it always pays to be careful of the sites we visit on the internet, as well as the files we download, and to improve our IT security.