Malware Delivered Via Fake Browser Updates Are Back and are More Sophisticated Than Ever



Leveraging vulnerable website content management platforms, these attacks seek to trick users into installing malware under the guise that their web browser is out-of-date.

We all know that eventually your web browser will need to be updated. So, it’s not so out-of-the-ordinary for users to be notified that a newer version is available. Generally, this kind of notification utilizes the operating system’s normal update mechanisms. But, less savvy users may not be educated on how updates work, making this attack possible.

In essence, the user navigates to a site running on an older version of a content management system (CMS) such as WordPress, Drupal, etc. The “older” is an important caveat here, as these sites are more vulnerable to being compromised and leveraged by attackers.

The sophistication in this campaign is amazing! The initial malicious webpage performs a ton of browser validation and then transparently navigates the victim’s browser to a malicious page that, in turn, redirects them to a browser update that looks like the one below:

 

Picture2

 

Looks pretty legitimate to the untrained eye.

In addition, evasive techniques have also been seen to avoid detection by virtual sandbox technologies designed to spot these kinds of malicious webpages.

Users should be taught to ignore update notifications coming through their web browser, as this is only one of many attacks attempting to accomplish the same task. Users undergoing continual Security Awareness Training should already be aware of this tactic, and are savvy enough to both spot the potentially-malicious content and to avoid interacting with it.


Request A Quote: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your quote for KnowBe4's security awareness training and simulated phishing platform and find out how affordable this is!

Get A Quote Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/kmsat-security-awareness-training-quote



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews