Fake Browser Update Site Installs Malware

In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http://newyear[REMOVED]fix.com, was registered on December 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through  advertising networks and free movie streaming and media sites.

The attackers attempt to trick victims using the following techniques:

  • A URL containing the words “new year” and “fix”
  • A professional looking template (from Google, Microsoft or Mozilla) telling the victim that a critical update is necessary for their system to function properly
  • Redirecting the user, based on their browser type, to a fake but convincing Chrome, Firefox, or Internet Explorer Web page.
  • Using a JavaScript loop to force the victim to give up and stay on site – users have to click on the “Yes/No” option 100 times in order to close the browser.

This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down.

The website, which is hosted in the Ukraine, uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect.

The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates, shown in Figures 1 to 3, based on the type of browser they are using.

Fake Browser Update 1.png

Figure 1. Page displayed to Chrome users

Fake Browser Update 2.png

Figure 2. Page displayed to Firefox users

Fake Browser Update 3.png

Figure 3. Page displayed to Internet Explorer users

Fake Browser Update 4.png

Figure 4. JavaScript loop button which requires 100 clicks to close

At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe.

Both of these samples are detected by Symantec as Trojan.Shylock. Symantec also has the following IPS coverage in place for this attack:

Web Attack: Fake Software Update Website

To stay protected against this type of threat, Symantec recommends that users:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Exercise caution when clicking on enticing links sent through emails, messaging services, or on social networks.
  • Only download files from trusted and legitimate sources.