Fake Font Update on Google Chrome Uses Social Engineering to Infect Users with Ransomware

February 24, 2017 – 8:57 PM

We’ve seen social engineering attacks manipulate users time and time again. From phishing emails, to baiting attempts – this breed of cyberthreat has continued to manipulate users for years. And now a new scam has emerged that utilizes a fake update on Google Chrome to trick users into downloading and infecting themselves with the infamous Spora ransomware.

The trick is simple. First, the attackers insert JavaScript into poorly secured, but legitimate websites to modify the text rendering on them. Then, when victims visit these sites, the script makes the website indecipherable and prompts them to fix the issue by updating their “Chrome font pack.” Essentially, a window pops up, showing, “The ‘HoeflerText’ font wasn’t found,” and users are asked to update the Chrome Font Pack. And if they click, they’re immediately infected with the highly-effective Spora ransomware, instead of an update for their browser.

So why is this attack seeing such easy success? Believe it not, Hoefler Text is, in fact, a real font, adding a sense of legitimacy behind the scam. However, the malware has primarily seen so much success due to its ability to fly under the radar, as it does not get flagged as an infection by a variety of security programs.

What’s worse is that this isn’t the first time this has happened – delivery of malware through the EITest redirect gates has been around since at least 2014. Additionally, the infected sites and samples change all the time and simply blocking URLs, domains, and IP’s at the perimeter would just be playing “whack-a-mole.”

In fact, EITest gates are typically used in combination with the RIG, Angler, and Sundown EK’s to redirect victims to quite a few ransomware strains, including Spora, CryptoShield, CryptoMix, and Cerber, as well as banking Trojans and various other malware types.


You must be logged in to post a comment.