“Thousands of hacked websites have become unwitting participants in an advanced scheme that uses fake update notifications to install banking malware and remote access trojans on visitors’ computers, a computer researcher said Tuesda,” Dan Goodin reports for Ars Technica. “The campaign, which has been running for at least four months, is able to compromise websites running a variety of content management systems, including WordPress, Joomla, and SquareSpace.”
“That’s according to a blog post by Jérôme Segura, lead malware intelligence analyst at Malwarebytes,” Goodin reports. “The hackers, he wrote, cause the sites to display authentic-appearing messages to a narrowly targeted number of visitors that, depending on the browsers they’re using, instruct them to install updates for Firefox, Chrome, or Flash.”
“To escape detection, the attackers fingerprint potential targets to ensure, among other things, that the fake update notifications are served to a single IP address no more than once. Another testament to the attackers’ resourcefulness: the update templates are hosted on hacked websites, while the carefully selected targets who fall for the scam download a malicious JavaScript file from DropBox,” Goodin reports. “The JavaScript further checks potential marks for virtual machines and sandboxes before delivering its final payload. The resulting executable file is signed by an operating-system-trusted digital certificate that further gives the fake notifications the appearance of legitimacy.”
Read more in the full article here.
MacDailyNews Note: Based on the Malwarebytes screenshots, this seems to affect only Windows at this time, we think. Neither article stipulates which platforms are affected.
Use Malwarebytes Anti malware on your windows box, duh. Problem solved.
Is there a way malware can be installed by simply selecting a link on hacked website? It relates to my understanding that users are generally safe if one doesn’t permit/affirm/consent to a download. But can a link be designed to covertly/deceptively be the step of permission needed, without being “named” as a download?
Yes, if the appropriate exploit is being used. Such exploits are showcased at the Pwn2Own contest where one of the winning scenarios (if no one is able to hack the machine directly) is to have the contest organizers simply visit a website you’ve designed, without interacting with the site.
If true, why isn’t this means prevalent in the wild? It would seem the deceiver could highjack a link on a public site (not theirs) that would enable an upload, or bring the visitor to their site with greater malevolent options?
In either of these cases, it seems there’s no prevention practice for security?
In related news, MDN site has goog ads blocking content. Its readers are becoming very impatient, according to sources.
Not only Windows. A couple of days ago one person in my family asked me what to do with this Flash “Update” they downloaded but macOS popped up a dialog if they really want to install it. Upon inspection it was a fake Flash update with malware payload. Looked *very* real and convincing. The icon for the installer app was even nicer than the crappy real Adobe Flash.