The group behind the campaign starts the attack by injecting a malicious script into a target webpage. The page must be served over an insecure connection for the technique to work. The script transforms the page so it appears unreadable. It then displays a popup message claiming the “HoeflerText” font couldn’t be found on the computer.
The attack is simple but potentially very effective. Less technically savvy computer users would have little reason to question the prompt. Many people are likely to link the malformed webpage to the claims of a missing font and assume the message is genuine.
In practice, clicking the download button installs the ad fraud malware Fleercivet. This is used to generate fake clicks on online advertisements, creating money for the hackers. Later versions of the program deliver a different malware.
Security researcher Mahmoud Al-Qudsi came across the campaign while investigating a compromised website powered by the WordPress content management system. Al-Qudsi noted that the malware author is several steps ahead of many others as the “font wasn’t found” message has been carefully designed. Unlike most fake browser popups, this one could pass as a built-in Chrome component.
There are several indications that all is not as it seems though. For one, the message always refers to Chrome 53, irrespective of the version actually installed. The downloaded file doesn’t match the name or version of the one stated in the popup prompt and screenshots of how to run the file are strangely blurred.
Despite their telling nature, the flaws are unlikely to be noticed by less experienced web users. Because it has a high level of surface polish, the initial prompt could be enough to convince many people to press the “Update” button.
Alarmingly, the file that’s currently being downloaded isn’t detected by Google Chrome or Windows Defender as malicious. According to Al-Qudsi, it was correctly detected by only nine virus scanners out of a total of 59 being tested. It has since been reported directly to Google and added to Chrome’s Safe Browsing blacklist.
The attack shows how malware is continually evolving to create convincing scenarios that are believable to many PC users. It’s worth remembering that a web browser will never display a full-screen overlay if a font cannot be found, even if the text on the page is coincidentally unreadable.
Fonts on webpages are usually loaded directly from the server. If a font cannot be found, the browser gracefully falls back to the next one specified. Eventually, it will load the page using the default system font if all else fails, at no point visibly warning the user that the first-choice typeface is missing.