Exploit kit targets Chrome users with fake update

Print Friendly, PDF & Email

By Dave Michmerhuizen – Research Scientist, Luis Chapetti – Security Researcher

Exploit kits are pre-packaged sets of malicious code that scammers install on websites.  The scammers try to steer visitors to the URL of the exploit kit so that their code can attack your web browser and ultimately install malware on your computer. Exploit kit URLs are often distributed via spammed messages with enticing HTML links in them.

The most frightening thing about these kits is that a click on one of these links can cause malware to be downloaded and run without any indication that anything is happening.

But sometimes the target computer isn't easy to attack, and the scammers have to fall back on their social engineering skills to get what they want. We recently saw this at Barracuda Labs when we followed a spam link to an exploit kit that behaved quite differently than usual when it detected the Google Chrome browser.

The spam itself was pretty mundane – a fake security warning from American Express.

 

These are a favorite of spammers and should always be considered suspicious.  In this case all of the links point to a hacked website hosting a Blackhole exploit kit.  Following the link with Internet Explorer gave us a typical chain of events – malicious javascript set up a PDF exploit resulting in a Zeus download.

But when we followed the same link with the Google Chrome browser, the kit shifted gears.  Since Chrome uses it's own internal PDF engine that is not as vulnerable, a different attack was presented in the form of a fake Chrome update page.

 

The page is very nicely done, and if you take the detour away from your investigation of your American Express account problems (remember that spam?) and run the update you will be downloading and running the Zeus password stealer yourself, which is exactly what the spammer wants.  All they needed to do was to wrap up a nice “pretty please” in some convincing Chrome graphics.

Every stage of this attack presented warning signs, provided you were taking the time to look for them.  The initial spam email did not link to American Express.  The Chrome update page did not link to a google.com property.  Even the Windows execution warning dialog stated that the installer came from an Unknown Publisher. The bottom line here? Slow down and examine emails with a very skeptical eye. Spam is more than just annoying stock tips and viagra offers. Spam is the single largest conduit for threats to your enterprise.

Barracuda Networks customers using the Barracuda Spam & Virus Firewallare protected from these emails.

Scroll to top
Tweet
Share
Share