14 DAY TRIAL // It looks like Mozilla's efforts to encourage users to update Flash Player has turned against them for the first time. Security researchers warn that a new scareware distribution campaign is using a fake copy of the "Firefox Updated" page to trick users into installing a rogue antivirus program.
Since Firefox 3.5.3, Mozilla also checks if Flash Player is up-to-date when the browser is upgraded. If an old version of the plug-in is detected, a warning message encouraging users to install the latest variant, is displayed on the "whatsnew" page. This is the page that automatically opens on first run after a successful Firefox update.
Over 98% of computers in the world are estimated to have Flash Player installed and because of this, the application is amongst the most targeted pieces of software. Mozilla took the decision to perform the Flash Player check, because a lot of Firefox users failed to update the plug-in and exposed themselves to drive-by-download attacks.
According to F-Secure, scammers are now looking to capitalize on the trust users instinctively place in Mozilla by creating rogue copies of the “whatsnew” page. This social engineering attack is not unlike what phishers do when they immitate legit online banking websites.
The rogue pages appear to have been created using the "Firefox Updated" site template for Firefox 3.6.7. The regular Flash Player update warning message is displayed, but users don't even have to click the contained link, as a file called ff-update.exe is served for download automatically. This executable is the installer for a fake antivirus called SecurityTool.
"It seems that rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV. Now, it comes as the Firefox 'Just Updated' page. […] Somehow the rogue guys couldn't decide if it's going to be Firefox or Flash Player… so it became a little bit of both," security researchers from F-Secure, write.
You can follow the editor on Twitter @lconstantin
