Friday, 24 February 2017

Chrome hack relies on 'missing fonts' to font your Windows PC into next week

Chrome hack relies on 'missing fonts' to font your Windows PC into next week

HEY CHROME USERS, if anything prompts you to download a missing font, grab a hammer and start smashing something.

It's best not to hit your computer, despite the message and despite the fact that its source is some bedroom bastard and the font is actually malware.

There are some clues. The font you are missing is called ‘Hoefler Text', so if you thought about it you would probably realise that you can live without it. But under some circumstances, for example, after a prompt interrupts your plans to read something on Chrome, we can see how some people might be encouraged to try and download it.

Don't just trust us though, trust the security blog that raised the alarm. Mahmoud Al-Qudsi from cybersecurity firm NeoSmart Technologies went through the process of installing the Hoefler crap, after coming across it on a compromised Wordpress site, and found that it was pretty convincing but ultimately very cruddy.

"This attack gets a lot of things right that many others fail at. The premise is actually believable: the text doesn't render, and it says that is caused by a missing font (HoeflerText, which is a real font, by the way!), which it then prompts you to download and install," he said.

"The usage of a clean, well-formatted dialog to present the message with the correct Chrome logo - and, more importantly, - the correct shade of blue for the update button. The shape of the update button seems correct, and the spelling and grammar are definitely good enough to get a pass."

So he went with it, finding that ultimately he got an executable and some nudges in the direction of a download. It's all pretty bleak, like most of this stuff, and ultimately if you were to fall victim, you would regret ever hearing of the Hoefler thing.

"Clicking ‘Update' (merely out of curiosity!) results in a file "Chrome Font v7.5.1.exe" to be downloaded, and the webpage morphs to "helpfully" encourage the user to run the virus," added our trepid explorer.

"The file in question is not caught by Windows Defender or Chrome as being malicious. An upload to VirusTotal reveals it as never-before-seen, with only 9 out of the 59 antivirus scanners in its database correctly identifying the file as malware." ยต

No comments:
Write comments