Fake Font Update on Google Chrome Uses Social Engineering to Infect Users with Ransomware

By on Feb 24, 2017

We’ve seen social engineering attacks manipulate users time and time again. From phishing emails, to baiting attempts – this breed of cyberthreat has continued to manipulate users for years. And now a new scam has emerged that utilizes a fake update on Google Chrome to trick users into downloading and infecting themselves with the infamous Spora ransomware.

The trick is simple. First, the attackers insert JavaScript into poorly secured, but legitimate websites to modify the text rendering on them. Then, when victims visit these sites, the script makes the website indecipherable and prompts them to fix the issue by updating their “Chrome font pack.” Essentially, a window pops up, showing, “The ‘HoeflerText’ font wasn’t found,” and users are asked to update the Chrome Font Pack. And if they click, they’re immediately infected with the highly-effective Spora ransomware, instead of an update for their browser.

So why is this attack seeing such easy success? Believe it not, Hoefler Text is, in fact, a real font, adding a sense of legitimacy behind the scam. However, the malware has primarily seen so much success due to its ability to fly under the radar, as it does not get flagged as an infection by a variety of security programs.

What’s worse is that this isn’t the first time this has happened – delivery of malware through the EITest redirect gates has been around since at least 2014. Additionally, the infected sites and samples change all the time and simply blocking URLs, domains, and IP’s at the perimeter would just be playing “whack-a-mole.”

In fact, EITest gates are typically used in combination with the RIG, Angler, and Sundown EK’s to redirect victims to quite a few ransomware strains, including Spora, CryptoShield, CryptoMix, and Cerber, as well as banking Trojans and various other malware types.

So, how do you protect yourself from this scam? You could change to a different browser other than Chrome but remember that the threat actors can adapt tomorrow and include Internet Explorer or Firefox.

Therefore, with this issue having the potential to persist in more ways than one, here’s a few tips for staying safe while you browse online:

• Keep your browser, AV, and third party plug-ins up to date. That way, if any suspicious or unknown updates come through, you’ll be able to identify them immediately as fake.

• Keep your operating system patched. Software vendors fix flaws as quickly as they can, so make sure to apply all patches as soon as they become available.

• Stay educated. When you’re on a website, it’s a huge red flag if a pop-up appears asking to install or upgrade fonts, media players, pdf readers, etc. So, take some time to study up on browser norms so that if a website ever requires additional software to display whatever your looking at, you can identify the scam right then and there.


About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs