Phony Browser Alerts Trick Users into Downloading 'Scareware': Symantec

Similar to fake antivirus warnings, attackers spoof browsers' alert pages to trick users into downloading scareware, said a Symantec researcher.

Scammers are spoofing anti-malware warnings alerts displayed in popular Internet browsers to fool Windows users into downloading fake security software, a Symantec researcher wrote on the company's security blog on Oct. 4.

The threat involves attackers putting up phony versions of security alerts that Google Chrome and Mozilla Firefox browsers display when users are about to access pages suspected of hosting malware, wrote Symantec researcher Parveen Vashishtha in a blog post.

These alerts include a prominent "Get Updates!!" button that offer to download a browser security update, said Vashishtha. Clicking on the button saves "scareware,"- software so named because it scares users with fake security alerts into buying and downloading a useless program to their computers. The "Get Updates!!" button actually replaces the "Get me out of here!" button that Google usually displays on legitimate alert pages.

"Malware authors are employing innovative social engineering tricks to fool users - it's as simple as that," said Vashishtha.

No Internet browser suggests downloading updates directly from a warning screen. Instead legitimate browser alerts simply warn users that the page they're about to access may be dangerous. Users can either browse away via "Get me out of here," press the back button, or enter the site at their own peril.

Unfortunately, users are often confused when they see the scam. If the user clicks on the download button, intentionally to download the update, or unintentionally thinking it was the "Get me out of here" button, a dialog box opens to save the file to the computer. Even if the savvy user realizes the mistake and tries to cancel out , the dialog box keeps popping up repeatedly, Vashishtha wrote.

According to the security blog, not clicking on the download button merely switches the cyber-criminal's focus to execute its backup plan. The user is redirected to a series of Web sites that bombard the computer with the Phoenix toolkit. An automated multi-exploit kit, Phoenix includes JavaScript codes that attack known vulnerabilities in Windows, Adobe Reader, Internet Explorer, and Java.

For users that downloaded the update, the executable turns out to be a variant of the Security Tool scareware. Once executed, it displays exaggerated pop-ups reporting a number of vulnerabilities and threats "found" to scare users, Vashishtha said. In this way, users are scammed into buying a "full version" of the Security Tool to fix these problems.

Windows PCs that are up-to-date with all the latest security updates are generally immune from the exploit kit, according to the Symantec post. If the PC is not up-to-date, then the attack succeeds.

"Many attackers don't bother with the latest vulnerabilities," said Chris Larsen, a security researcher with Blue Coat Systems. Because there is such a significant number of users who decide not to download the latest version of the software, or think they will "do it later" and never get around to it, attackers know they will be able to hit a large number of targets using old exploits, he said.

The fake security alerts use the same strategy the fake antivirus scammers use to display sham alerts when accessing a page. Security researchers have identified millions of YouTube pages and image search results that point to fake antivirus sites. In fact, Google reported recently that fake antivirus security programs account for 15 percent of all the malware the search engine sees on the Web.

Products such as NortonSafeWeb can verify links to determine whether they are safe before clicking on them, said Vashishtha.

Users should download and regularly patch their operating system and software with the latest security updates, Larsen said. As the latest attacks show, security updates should only downloaded from software vendors' official Web sites, not the sites found on alert pages.