Similar to fake antivirus warnings, attackers spoof browsers' alert pages to trick users into downloading scareware, said a Symantec researcher.
Scammers are spoofing
anti-malware warnings alerts displayed in popular Internet browsers to fool
Windows users into downloading fake security software, a Symantec researcher
wrote on the company's security blog
on Oct. 4.
The threat involves attackers putting up phony versions of
security alerts that Google Chrome and Mozilla Firefox browsers display when
users are about to access pages suspected of hosting malware, wrote Symantec
researcher Parveen Vashishtha in a blog post.
These alerts include a prominent "Get Updates!!" button that
offer to download a browser security update, said Vashishtha. Clicking on the
button saves "scareware,"- software so named because it scares users with fake
security alerts into buying and downloading a useless program to their
computers. The "Get Updates!!" button actually replaces the "Get me out of
here!" button that Google usually displays on legitimate alert pages.
"Malware authors are employing innovative social
engineering tricks to fool users - it's
as simple as that," said Vashishtha.
No Internet browser suggests downloading updates directly
from a warning screen. Instead legitimate browser alerts simply warn users that
the page they're about to access may be dangerous. Users can either browse away
via "Get me out of here," press the back button, or enter the site at their own
Unfortunately, users are often confused when they see the scam.
If the user clicks on the download button, intentionally to download the
update, or unintentionally thinking it was the "Get me out of here" button, a
dialog box opens to save the file to the computer. Even if the savvy user
realizes the mistake and tries to cancel out , the dialog box keeps popping up
repeatedly, Vashishtha wrote.
According to the security blog, not clicking on the download
button merely switches the cyber-criminal's focus to execute its backup plan.
The user is redirected to a series of Web sites that bombard the computer with the
Phoenix toolkit. An automated multi-exploit kit, Phoenix
codes that attack known vulnerabilities in Windows, Adobe Reader, Internet
Explorer, and Java.
For users that downloaded the update, the executable turns
out to be a variant of the Security Tool scareware. Once executed, it displays
exaggerated pop-ups reporting a number of vulnerabilities and threats "found"
to scare users, Vashishtha said. In this way, users are scammed into buying a
"full version" of the Security Tool to fix these problems.
Windows PCs that are up-to-date with all the latest security
updates are generally immune from the exploit kit, according to the Symantec post.
If the PC is not up-to-date, then the attack succeeds.
"Many attackers don't bother with the latest vulnerabilities,"
said Chris Larsen, a security researcher with Blue Coat Systems. Because there is such a significant number of users who decide not to download the latest version of the software, or think they will "do it later" and never get around to it, attackers know they will be able to hit a large number of targets using old exploits, he said.
The fake security alerts use the same strategy the fake antivirus
scammers use to display sham alerts when accessing a page. Security researchers
have identified millions of YouTube pages
and image search results that point
to fake antivirus sites. In fact, Google reported recently that fake antivirus
security programs account for 15 percent of all the malware
the search engine
sees on the Web.
Products such as NortonSafeWeb can verify links to determine
whether they are safe before clicking on them, said Vashishtha.
should download and regularly patch their operating system and software with
the latest security updates, Larsen said. As the latest attacks show, security
updates should only downloaded from software vendors' official Web sites, not the
sites found on alert pages.