Heads up, Google Chrome users. There’s a new social engineering attack has you in its sights. Its goal: to trick you into installing malicious software by convincing you that your Chrome installation is missing a vital component.
This isn’t a new tactic by any means. Cybercriminals often use social engineering attacks to trick users into installing bogus updates for things like the Adobe Flash plug-in, Java, and video codecs. In this particular case, it’s a font that you’re supposed to believe you need to patch.
The attack spawns an alert when you visit a compromised web page. It claims that the “HoeflerText font was not found” in your Google Chrome instance and displays version numbers that make it appear as though Chrome is somehow out-of-date. Fall for the ruse, and a “font installer” begins to download. That file is actually a “dropper,” and researchers have seen it delivering the highly-sophisticated Spora ransomware.
Why Does The Attack Mention Hoefler Text?
It’s to make the attack believable. Hoefler Text is, in fact, a real font. It’s just not one that has a heck of a lot to do with Google Chrome.
Hoefler Text does appear three times in the Chromium source code upon which Google Chrome is based. It’s specified as a font family in third-party code that belongs to the open-source WebKit browser engine. The font itself doesn’t actually ship with Chrome, though. It is, however, one of the default fonts that Apple includes with OS X.
Anti-malware Software Might Not Protect You — But Chrome Will
According to some reports, only a very small number of anti-malware apps are detecting this particular attack right now. Fortunately, the defenses Google has built into Chrome should be enough to keep you safe.
When the download begins, Chrome will display a warning that it’s not a file that “is not commonly downloaded” and notes that it “may be dangerous.” If you follow Google’s advice and click the “discard” button Chrome displays, you won’t have to worry about recovering from a ransomware attack.
Source: SANS ISC SecNewsFeed @ February 22, 2017 at 09:51AM