WALLONN7 Posted February 21, 2017 Share Posted February 21, 2017 The hack popped up on a compromised WordPress site Chrome users should beware of a new hacking technique which prompts users to download a missing font only to trick them into installing malware on their systems. According to cybersecurity firm NeoSmart Technologies, the trap was first noticed while browsing a WordPress website that had allegedly already been compromised. Given the latest issues with WordPress due to users failing to update to the latest security patch, this isn't exactly a surprise. This particular attack was pretty well disguised. JavaScript was used to tamper with the text rendering on the site, causing it to look all jumbled. The script then prompted users to fix the problem by installing that one font they were missing to read the blog by updating the Chrome font pack. This makes for a rather credible ploy, especially since the dialog window that pops up urging users to update actually looks like it comes from Chrome. It even has the logo on the side and the right shade of blue on the "update" button. There are some clues that things aren't right, of course. On one hand, the dialog window insists that you're using Chrome version 53 even if you aren't. Then, clicking the "Update" button will proceed to download an executable file titled "Chrome Font v7.5.1.exe" which isn't the same as the one the instruction image said it would download - "Chrome_Font.exe". The download window It's not flagged as malware Chrome doesn't flag the file as malware, but it does block it because the file isn't downloaded too often, which is a common warning. The browser advises users to discard the file. Following a VirusTotal scan, only 9 out of 59 anti-virus scanners in the database accurately identify the file as malware, although VirusTotal has some issues with accurately presenting a list of antivirus programs that actually detect various malicious files, so the number may be higher than that. There's also the fact that you don't need to update any Chrome font pack at any time because it already comes with everything you need. Source Link to comment Share on other sites More sharing options...
steven36 Posted February 21, 2017 Share Posted February 21, 2017 I seen thing something happen in Firefox before but instead of a font it said it was a download for flash and i dont even install Flash for along time lol Did you know on Android they not had flash for 5 years and still crazy people fall for it and download malware thinking it's flash? Users Continue to Install Malware on Their Phone 5 Years After Adobe Discontinued Flash for Android https://www.bleepingcomputer.com/news/security/users-continue-to-install-malware-on-their-phone-5-years-after-adobe-discontinued-flash-for-android/ Come on people it's conman sense to not download stuff you don't know what is !!! This is why Google changed the default setting to ask before you download now , before it was easy too get malware in chrome if you didn't know to change the setting .It was a stupid mistake by Google but in new versions its a stupid mistake by the end user.. Link to comment Share on other sites More sharing options...
Recruit Posted February 21, 2017 Share Posted February 21, 2017 If you`ll restrict execution of .exe files in " %AppData% " & " %LocalAppData% " ( and subfolders ) these shi*s will stay away from your machine.. With this method you could forget words like " antivirus " & " anti-malware ".....etc. Link to comment Share on other sites More sharing options...
steven36 Posted February 21, 2017 Share Posted February 21, 2017 I dont execute no exe files i dont know what is anyway you know how many sites are ridden with ads that try get you too install malware by mistake ? When it happen in Firefox too me it was much worse than this when i looked at the screens it gives you a warning it asks you too download when it happen in Firefox it just tried too download it and didn't ask NOD blocked it anyways lol .This malware in Chrome you have to say yes too the download 2 times lol. Link to comment Share on other sites More sharing options...
steven36 Posted February 21, 2017 Share Posted February 21, 2017 I found this out at Virus total. too beat it all its not just a Google chrome malware it dont discriminate . the same malware effects Firefox too if you named the installer to something else Proof of it being exploited in Firefox here https://sandbox.deepviz.com/report/hash/6fc30d8a8d354f2a8128874cf84d0353/ Quote 1 high impact rules Access Mozilla Firefox file that stores the annotations, bookmarks, favorite icons, input history, keywords, and browsing history 11 medium impact rules Creates file in Startup folder Hides created files or folders in root directory Access Mozilla Firefox popup site exceptions Strings dump contains file extensions Contains cryptographic functionality Access Mozilla Firefox extensions list Access Mozilla Firefox downloads history Access Mozilla Firefox cookies Access Mozilla Firefox form history Access Mozilla Firefox add-ons list 12 low impact rules Suspicious delay Modify "OpenWith" application list for a set of specified file extensions PE section has SizeOfRawData larger than VirtualSize Runs existing executable PE Checksum is invalid Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...) Check user main folders path Automatically unpack its own code Contains anti-debugging code Drops .EXE file EntryPoint points inside a writable section Access Windows sensitive data: Windows Profiles information But by the time this got posted here, it was found over 2 days ago and any good antivirus will stop it. https://www.virustotal.com/en/file/7e62a5ca20cfb5da90fe7402f413321c9ede7e230e8b4fa2f1a4e516e8ae8e34/analysis/ And that's why i dont use safe browsing since 2011 by the the time they catch it everything else have too lol . If you was using malwarebytes it caught it when source 1st found it even. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.