New Malware Spreads Through Hacked Sites as Fake Browser Update

New Malware Spreads Through Hacked Sites as Fake Browser Update

Most malware attacks rely on fooling users into launching a corrupted executable file, and online criminals have come up with plenty of ways to do that. There’s a new piece of malware making the rounds online via hacked websites that uses sophisticated redirects and modified JavaScript to load a malicious payload on your computer. According to Malwarebytes, there are probably thousands of affected sites.

The attack most likely began late last year, and some site operators began noticing something was afoot in February. Sites using WordPress, SquareSpace, and Joomla content management systems have been targeted by the group behind this so-called “FakeUpdates campaign.” The attackers either modify or replace JavaScript files on the site in order to target visitors.

When you visit one of these infected sites, you’ll get a fake update notification (hence the name) that kicks off the infection. You might wonder how this attack could pop up on thousands of websites for months without detection until recently. This is a clever attack that uses a light touch with a site’s visitors. For one, it only serves the fake update notification once per IP address. The update notification (which is a redirected URL) is themed to match your browser. So Firefox users get a page about running an old version of Firefox, and it’s the same for Chrome users. There’s a version for Flash updates, too. The styling of these pages looks spot-on.

New Malware Spreads Through Hacked Sites as Fake Browser Update

If you do fall for the fake update, you don’t get an executable. Instead, a malicious JavaScript file is served up from Dropbox. The Dropbox URL frequently changes to avoid detection and blocking. The script analyzes the victim’s system and gives the attacker flexibility in delivering the actual payload. If a system isn’t attractive enough, the script can shut down without installing malware.

The end result of an infection with the FakeUpdates campaign is that your system runs the Chtonic banking malware, which is a variant of ZeusVM. That gives the attacker full control of a system including file transfer and remote access.

Now that the cat’s out of the bag, site operators and CMS systems can begin purging FakeUpdates from websites. It won’t go away overnight, and it might just mutate to avoid detection and come back later. Your best bet is never to trust popups that tell you to download something, even if they look legit. Only download on your own terms.

Continue reading

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon
Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon

Not only does this include the Googley Android 11 enhancements, but it also has numerous Samsung-specific changes as part of the One UI 3.0 revamp.

Apple Urges Immediate iPhone Update to Block Active Online Hacks
Apple Urges Immediate iPhone Update to Block Active Online Hacks

There's a new version of Apple's iOS software for iPhone and iPad devices, and as usual, Apple is going to start pestering users to update. This time, the nagging for iOS 14.4 comes with a little more urgency.

Samsung Promises to Update Its Android Phones Even Longer Than Google
Samsung Promises to Update Its Android Phones Even Longer Than Google

Smartphone updates have been a mess for as long as the modern smartphone has existed, but Samsung just took a big step in the right direction: The company has decided to extend security update support to a full four years.