Malware, Network Security

Don’t install that security certificate; it’s a malware scam

Cybercriminals have been compromising websites to display a fake security certificate error message in hopes of tricking visitors into downloading the Mokes backdoor or the Buerak downloader.

Researchers from Kaspersky who discovered the scam said in a blog post that the ruse is a new twist on the old technique of hacking a website so that visitors are asked to download a fake, malicious "security update" for a browser or software program such as Adobe Flash Player.

The fake notification is delivered via a malicious iframe, whose contents are loaded from the third-party resource ldfidfa[.]pw. The iframe matches the size of the victimized webpage and perfectly overlaps the original content. The URL bar still displays the correct address, so visitors are less likely to become suspicious.

"Security Certificate is out of date," the fake message states in the form of an on-page banner. "Detected a potential security risk and has not extended the transition to ldfidfa[.]pw. Installing a security certificate may allow this connection to succeed." At various times during the campaign, clicking on the corresponding button has resulted in the download of either Bureau or Makes.

Kaspersky found the scam dates back to at least Jan. 16, and has affected a variety of websites belonging to everything "from a zoo to a store selling auto parts."

"As incidents involving certificate issuance and deployment become more well-known and mainstream, attackers have one more avenue to use in creating attacks that leverage social engineering efforts," said Pratik Savla, senior security engineer at Venafi. "Unfortunately, and also unsurprisingly, we are bound to see an uptick of this kind of campaign. In addition, attackers have also become much bolder with the use of malicious iframes.  In the past, it was common for a threat actor to inject their iframes towards the bottom of a webpage. But now one can encounter it anywhere on the webpage."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.