Chrome pop-up pretends to be a font pack update to install malware

A new technique by cybercriminals to trick unsuspecting users into installing malware has recently been discovered, this time involving a fake Google Chrome font pack update.

The legitimate-looking Google Chrome message asking to install a font pack

Spotted by Mahmoud Al-Qudsi of security firm NeoSmart Technologies, the hack was seen on a compromised Wordpress website. It utilizes Javascript to change the text rendering on the page, which will then resemble mis-encoded text with symbols and other random characters when displayed to the user.

With the page making it look like the content is distorted, a pop-up will appear, stating that the font used was not found. The message will subsequently ask the user to download a Chrome font pack, in order to allegedly fix the problem.

As NeoSmart Technologies points out, the prompt emulates the correct Google Chrome pop-up format, to make things seem more legitimate. It employs the browser's logo, and uses the correct shade of blue for the "update" button, like those of other Chrome system messages. Unlike other scams, the pop-up's grammar is also flawless, enough to downplay any suspicions.

However, digging a little deeper, the message is hard-coded to say that the user's browser version is Chrome 53, so those who are aware of their software version can tell that something is wrong.

Scam pop-up instructing the user to run the malicious file

Clicking on "update" will then download a file called "Chrome Font v7.5.1.exe." The pop-up message will also morph, giving the user instructions on running the saved program.

While Chrome reportedly fails to filter the file as malware, it will still display a warning, which states "this file isn’t downloaded often." Windows Defender also supposedly cannot detect the file as malicious.

In an analysis of the malware on VirusTotal, it was found by the researchers that only nine out of 59 antivirus programs identify the "font pack" file as malware. It is identified as "Win32.Trojan.WisdomEyes," "ML.Attribute.HighConfidence," and even as ransomware called "Ransom.Spora."

While scammers are quickly improving their techniques to deceive users online, it always pays to be careful of the sites we visit on the internet, as well as the files we download.

Source: NeoSmart Technologies via The Next Web | Images via NeoSmart Technologies

Report a problem with article
Next Article

Microsoft launches Skype Lite in India, "optimized for 2G and unstable network connections"

Previous Article

Facebook reportedly in talks to stream Major League Baseball games

6 Comments - Add comment