Security researcher Mahmoud Al-Qudsi spotted a “drive-by-infection” hack on a compromised WordPress website in which the scam was using JavaScript to change how text was displayed on the website, then urging users to download a fix for the problem.
Al-Qudsi said, “This attack gets a lot of things right that many others fail at. The premise is actually believable: the text doesn't render, and it says that is caused by a missing font, which it then prompts you to download and install.”
Screenshots show a warning box designed by the hacker that appears legitimate. A message display says: “The web page you are trying to load is displayed incorrectly as it uses the ‘Hoefler Text' font. To fix the error and display the text, you have to update the ‘Chrome Font Pack'.”
By clicking on the “Update” button, which sports the correct colour blue that Chrome uses, a file called “Chrome Font v7.5.1.exe” downloads and the webpage morphs to “helpfully” push the user to run the virus.
This file is not recognised by either Windows Defender or Chrome as being a virus. Only nine out of 59 antivirus scanners identify it as dangerous. If infected, VirusTotal revealed the malware will snoop on files and documents and can be used to inspect core Windows system files.
While Chrome doesn't peg the file as being malicious, it is blocked by a warning that says “this file isn't downloaded very often”.
Tod Beardsley, research director at Rapid7 commented: “So far, the attacks appear to be limited to compromised WordPress sites – a field that is, unfortunately, rich with targets.”
“Chrome users should be aware that legitimate warnings from the Chrome browser will never appear as overlays to a web page. Specifically, Chrome does not offer any functionality for prompting for a missing font download, and all such prompts are sourced from malware or malvertising campaigns. In the rare cases the browser needs to communicate a security or misconfiguration warning to the user, these warnings will appear as a full, replacement page, such as the familiar ‘Your connection is not private' warning for misconfigured SSL certificates.”
