Researchers at Proofpoint discovered an infection technique which targets only chrome users on Windows, from specific countries. The Chrome users are targeted with Font Wasn’t Found Social Engineering Scheme if they navigate to a compromised website through search engines.
“Font Wasn’t Found” Social Engineering Scheme Illustration:
The Infection Mechanism:
-Attacker compromises a website and places its own script to the site’s source code.
– User visits the compromised website through proper referrer such as ( search engine).
– The malicious code does ‘eligibility test’.
– If victim meets the criteria – targeted country, correct User-Agent (chrome on Windows) and a proper referrer, the malicious code activates another malicious code.
– The malicious code rewrites the compromised website on a victim’s browser to make the page unreadable.
– The code displays “�” characters all over the page creating a fake issue for the user to resolve.
– The malicious code renders pages unreadable by replacing HTML tags with “& # 0”.
As shown in the figure, the victim is presented with a popup telling the victim that a specific font wasn’t found on their device, and the user will require to download and install a font package update to view the website content.
The font package it says to download is actually the malware payload. Once the user clicks the Update buttons, Chrome downloads the malware – a type of ad fraud malware known as Fleercivet.
Till now, the user is safe, once he/she runs the downloaded file dubbed as “Chrome_Font.exe”, it gets installed and infects the user system. Upon infection, the computer will start browsing in the background on its own.
It is suspected that the cyber-criminals are turning to new strategies as they are finding it more difficult to achieve conversions (i.e., malware installations) via exploit kit.
The Proofpoint researchers asserted that this campaign began on December 10, 2016. They also claimed that same malware was advertised for sale on underground cybercrime services under the name of ‘Simby’ in early 2015, and ‘Clicool’ in late 2015 and in 2016.
Security Analyst speaking to CYBRNOW recommends users if they apparently meet any such website to ‘force close’ the chrome application and delete browser data for safer browsing.