(Image credit: Proofpoint)
The hacked websites are also injected with malicious code that checks whether the user should be infected. If the user meets certain requirements such as targeted country and correct user agent (e.g. Chrome on Windows) then the website is made unreadable with a script. The script also shows a popup stating that the font ‘HoeflerText’ wasn’t found and the ‘Chrome Font Pack’ has to be updated.
When the user clicks the update button, the file Chrome_Font.exe is downloaded. If the user opens the file then malware is installed that will automatically start browsing the web in a background process. This is used for advertising fraud, the cybercriminals behind the malware are paid for the false clicks and impressions.
Cybercriminals are resorting to new ways of infecting internet users because it becomes harder and harder to infect them using exploit kits that abuse known unpatched vulnerabilities, according to security company Proofpoint. Therefore they use social engineering where users are tricked in downloading and installing the malware themselves.
“As with other threats, actors are exploiting the human factor and are tricking users into loading the malware themselves,” Proofpoint writes.