Chrome malware masquerades as 'missing font' files

New hack tricks users into downloading missing fonts loaded with malicious files

A security researcher has discovered a new hacking tactic on Google Chrome that manipulates websites into displaying missing font prompts, which then trick users into downloading malicious files.

The infection was first spotted on an unnamed WordPress website by Mahmoud Al-Qudsi, a researcher at cybersecurity firm NeoSmart Technologies, who detailed the process in a blog post.

Advertisement - Article continues below

The attack involves a hacker exploiting JavaScript to alter the rendering of content on a webpage, causing it to resemble mis-encoded text which appears as a jumble of symbols and shapes. The code then prompts the user to download the missing fonts through a Chrome language pack to decipher the text.

Clicking "Update" results in a file called "Chrome Font v7.5.1.exe" being downloaded and a second prompt encourages the user to run the file, all the while appearing as a perfectly safe Chrome download.

The attack is particularly well disguised and makes every attempt to appear a legitimate Chrome pop up, including the correct text formatting and right use of colours for the "Update" button.

"This attack gets a lot of things right that many others fail at," said Al-Qudsi. "The premise is actually believable: the text doesn't render, and it says that it is caused by a missing font (Hoefler Text, which is a real font), which it then prompts you to download and install."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The shape of the update button seems correct, and the spelling and grammar are definitely good enough to get a pass."

Al-Qudsi does identify some tell-tale signs that the prompt is not all as it seems. A savvy user will know what version of Chrome they are running, in this case version 56, however the prompt has version 53 hard-coded into its dialogue. It also features a rather conspicuous 'X' in the top right corner, which gives the game away, according to Al-Qudsi. 

However once the file is downloaded, the quality of the scam "takes a nosedive", with text appearing blurry on prompts, and inconsistent file names for the downloaded material.

Although Chrome will notify the user with a "this file isn't downloaded very often" warning, it will not catch the download as a malicious file. It also slips by Windows Defender, and a check of virus scanning database VirusTotal reveals that only nine of 59 recorded antivirus scanners are able to correctly identify the file as malware.

Al-Qudsi has forwarded the discovery on to Google's security team, but pending an update patch, Chrome still fails to identify the file as malware. The firm advises users to be extra vigilant against these types of download prompts.

Pictures courtesy of NeoSmart

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/network-internet/web-browser/356389/how-to-take-a-screenshot-in-chrome
web browser

How to take a screenshot in Chrome

8 Jul 2020
Visit/network-internet/web-browser/356333/why-im-leading-a-browser-double-life
web browser

Why I’m leading a browser double life

8 Jul 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/network-internet/web-browser/356359/google-chrome-86-update-could-add-28-to-your-battery-life
web browser

Google Chrome 86 update could add 28% to your battery life

6 Jul 2020

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/security/cyber-attacks/356417/trump-confirms-cyber-attacks-on-russia-election-trolls
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020