Fake browser updates infect systems with bank malware

News by Rene Millman

Researchers have discovered a malicious campaign injecting scripts that push fake browser updates onto site visitors.

Researchers have discovered a malicious campaign injecting scripts that push fake browser updates onto site visitors.

According to a blog post by researchers at Sucuri, there have been several recent waves of this malicious campaign identified with hackers injecting links to an external script or inject the whole script code into the hacked web pages.

Victims of the campaign see a message box that says it’s an "Update Center" for their browser type. The campaign has messages for Chrome, Internet Explorer and Edge browsers.

The Message suggests that users download and install the update in order to avoid "Loss of personal and stored data, confidential information leaks, and browser errors". The download link points to an exe and zip files on some compromised third-party site.

Within the injected external script is contained an obfuscated script that creates the fake browser update overlay window. They also contain the download link to a fake update file.

Researchers said that at some point, instead of links to external scripts, hackers injected the complete malicious JavaScript code at the bottom of the infected web pages.

"The injected code is quite massive (90+ Kb). To hide it, hackers add 70+ empty lines in hopes that the webmaster will stop browsing the code after seeing an empty screen," said researchers. Around 117 sites have been detected with this kind of malware.

Researchers said that attackers later switch to injecting external links, probably to make the injected code less prominent. 

They added that while most of the infected websites are powered by WordPress, they have also sees many hacked sites with other CMS’ (e.g. Data Life Engine) or no CMS at all.

"In the case of WordPress, hackers inject the malicious scripts at the bottom of footer.php files of the active theme," they said.

Researcher said that while the first type of infection can be detected by external scanners, the second one (malicious downloads) can’t be easily detected without access to the server.

"Blacklists of various antiviruses can be helpful in such cases – client-side antivirus software sees where the malicious downloads originate from," said researchers.

Naaman Hart, cloud services security architect at Digital Guardian, told SC Media UK that organisations should limit the administrative capabilities of their staff to install software. 

"This will ultimately protect from the install of malicious updates.  Using internal software stores and training staff to go there to retrieve software and updates will ensure that when these popups occur they’re seen as strange and therefore cause alarm and questioning," he said.

Thomas Owen, head of Security at Memset, told SC Media UK that anti-virus might be unfashionable, but it's an incredibly cost-effective way of protecting your business from low hanging attacks like this.

"Many AV clients have a web-browsing protection model that prompts and blocks before known, bad sites are visited. This also automatically scans downloaded files before they are allowed to execute. In terms of response, having good, centrally managed anti-malware controls (ESET) help to alert and contain the problem, and reliable backups mean that restoration and recovery is a breeze," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews