Beware of Fake Warning Pages Spreading Browser Love

A new campaign initiated by cyber-criminals is making victims among unwary computer users that land on the wrong website. The new approach is yet another take in a multi-faceted rogue antivirus business and it tries to lure web surfers into installing malware on their computers.

It all starts with the user getting redirected to a specially-crafted  page that strikingly resemble the security warnings implemented in the Mozilla Firefox® and Google Chrome™ browsers to notify  users when they are about to visit malicious content. The similitude with the genuine warning page is striking the only difference between the two being that a Download Updates button pops out of the fake page. Right after the user has landed on the page, a JavaScript redirect will trigger the download of an infected file, named either ff_secure_upd.exe or chrome_secure_upd.exe, depending on the browser the fake page has been designed for.

The page tailored for Firefox® users

The so-called “security update” is actually a fake antivirus, detected by BitDefender as Gen:Variant.Kaze. The websites identified as being  part of this scheme have suggestive names built around keywords such as Firefox, update and news and they are registered with free domain name providers. A quick IP check revealed that these websites are hosted in Canada.

The page tailored for Google Chrome™ users

 

BitDefender customers have been protected since the beginning of this campaign. If you are not using a BitDefender security product and you’d like to know whether your system has been compromised or not, you might want to run a 60-second quick scan available here.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.