Hackers are using malicious ads promising browser updates to drop malware on users’ machines. Using a mix of social engineering and a variation on scareware, attackers have been taking advantage of recent legitimate Firefox and Chrome updates to infect hundreds of machines in Europe and the United States.
Experts at StopMalvertising caution users to download browser updates from only legitimate sources, such as the vendor sites.
Victims landing on a website hosting a malicious ad are presented with a popup informing them their browser is out of date. They’re also given a link to a supposed update; instead they’re redirected to the securebrowserupdate domain, StopMalvertising said. The ad determines what browser the victim is using and offers the corresponding update. Several options are presented, including one with antivirus protection. None of the version numbers match current browser versions.
“If the script can’t make up which browser you’re running, Mozilla 5.1, GoogleBot 2.1 or unknown unknown.1 Service Packs are offered for download,” the alert said.
Users who click on the update download malicious JavaScript which then drops a Trojan Troj_STARTPA.AET, according to Trend Micro. The Trojan will change the browser’s home page to a site hosting additional malware, putting the user at further risk.
“Software vendors release updates regularly to ensure that users get the latest features and improvements,” said Trend Micro’s Roddell Santos. “But cybercriminals, unfortunately, may use this as a social engineering lure to hook users into downloading malware. It doesn’t help that these guys are making an effort to make their bogus sites look exactly like the real deal.”
Users accessing these sites via mobile devices are also at risk for premium, fraudulent SMS charges.
Scareware scammers usually launch campaigns around new product launches, or even timely news events such as Hurricane Sandy or celebrity news. The most recent centered on the recent launch of Windows 8 promising the Win 8 Security System. Victims are warned of threats to their system and urged to register a copy of the scareware in order to remove the malware.
In September, the Federal Trade Commission ordered the perpetrators of a scareware campaign to repay more than $160 million in damages to its victims. The scam was typical; advertising networks and popular websites were compromised and hosting malicious ads that redirected visitors to sites hosting phony antimalware scanners. Victims were offered, for a fee, to have their machines cleaned of malware.