A security researcher has discovered a new Google Chrome scam that infects victims’ computers with malware. In contrast to many malware-downloading scams, the new Google Chrome scam is highly convincing and is certain to result in many malware infections.

Hackers have installed malicious JavaScript on a number of compromised WordPress websites. The JavaScript modifies the text on a compromised webpage when it is visited using the Google Chrome browser. The text on the website appears as if Google Chrome cannot read the font, with the characters on the site replaced with random fonts and symbols.

A popup appears on screen informing the visitor that “the “HoeflerText” font wasn’t found” by Google Chrome. The visitor is told that the webpage they are trying to view cannot be displayed correctly as a result. Visitors are prompted to update their Chrome browser to include the new font by downloading a “Chrome Font Pack.”

The Google Chrome scam is convincing. The popup uses the Chrome logo and looks official, with colors and branding that Google would use on its popup windows. The shading used for the “Update” button on the popup window is also accurately reproduced.

Furthermore, HoeflerText is a true font. If the user opens a new tab on their browser and Google’s the font, they will discover the font is real, making the Google Chrome scam seem entirely plausible.

Clicking the update button will trigger a download of the update file – ChromeFontv7.5.1.exe – which is an executable containing the malware. While attempting to run the executable would normally result in an anti-virus warning being displayed, relatively few anti-virus products are detecting the ChromeFontv7.5.1.exe file as malicious. VirusTotal shows that just 9 out of 59 AV products identify the file as malicious.

The Google Chrome scam was uncovered by NeoSmart Technologies researcher Mahmoud Al-Qudsi. He reports that while the Google Chrome scam is highly convincing, there are two signs that the update is not real. First, regardless of the version of Chrome used, the popup says the user has Chrome version 53. The second sign of the scam is the popup says the update file is called Chrome_Font.exe, yet the file that is downloaded has a different name. These two slipups by the criminals behind the campaign are only slight and would unlikely be noticed by many users.

WebTitan Protects Users from the Latest Google Chrome Scam

The malware is identified as malicious by ClamAV and Kaspersky Lab, the dual anti-virus engines used by WebTitan to protect users from malware infections while browsing the Internet. If WebTitan is installed, this and other malware threats are blocked, preventing end users from inadvertently infecting their computer with malware.

If you have yet to implement a web filtering solution, your computers and networks are likely to be at risk of being infected. Malware and ransomware infections are costly to resolve, cause considerable disruption to business processes, and can result in the theft of intellectual property, customer data, and login credentials. The latter can be used to gain access to corporate bank accounts, allowing funds to be transferred to criminals’ accounts.

Since visiting malicious websites can result in malware being silently downloaded without any user interaction, employees may be unaware that their computers have been infected. Malware infections may go undetected for long periods of time, during which large volumes of sensitive data can be stolen.

A web filtering solution will prevent employees from visiting malicious websites that phish for sensitive information or download malware. Furthermore, a web filtering solution is inexpensive to implement and maintain.

To discover the benefits of web filtering and to find out more about WebTitan, contact the TitanHQ team today.  WebTitan is also available on a 14-day, no obligation free trial allowing you to discover the benefits of the full product before deciding to proceed with a purchase.