14 DAY TRIAL // Malware distributors have started abusing the security alerts displayed by browsers when encountering malicious websites in order to trick users into downloading and installing fake AV programs.
Browsers like Chrome and Firefox, as well as Google's Web search engine, use the Google Safe Browsing API to check if opened websites are malicious.
The Google Safe Browsing service uses blacklists maintained by the search giant, which aggregates information from various sources.
When encountering a malicious resource the browsers display their own customized alert, giving users the option to close the page or ignore the warning and continue.
According to security researchers from Symantec, attackers have fake versions for each of the browser warning pages.
They even have one for Internet Explorer, even though Microsoft's browser doesn't use the Google Safe Browsing API.
The rogue warning pages have "Download Updates!" buttons and prompt JavaScript alerts that try to trick the visitors that a security update is required for their browser.
The update is actually a variant of a fake AV program called Security Tool, which tries to scare people into buying a license key by displaying fake security warnings.
And that's not all. If the user realizes the danger and hits cancel, they are redirected to a drive-by download page, that uses the Phoenix exploit toolkit to silently install the scareware on their computers.
"These exploit kits are used to deliver malware after exploiting a vulnerability, mostly those affecting Web browsers," explains Parveen Vashishtha, malware analyst at Symantec.
"If users don’t somehow fall victim to this latest browser update trick, then the attackers have the fall back of delivering misleading applications through these exploit kits," he adds.
This attack stands testament to the ingenuity of scareware distributors, who always find new ways to trick users or stay on top of the competition.
Back in July, we reported how about a scareware distribution campaign that used a fake Firefox "What's New" page, the site normally displayed by the browser after a successful update.
