In a previous blog we reported on how attackers use social engineering techniques to scare users into purchasing a misleading application. This time around, we have come across a couple of websites that are using a slightly different trick to mislead users.
In order to trick users, these websites used bogus pages that look similar to those presented by security features or technologies when one is about to visit a malicious page. However, it presented a “Download Updates!!” button, unlike Google’s “Get me out of here” button, for example.
Regardless of what browser is used, the user is presented with the same misleading dialog box that seemingly forces the download of Firefox and Chrome updates. This misleading dialog box keeps on popping up, even if the user clicks on cancel button:
The downloaded executable turns out to be a variant of the infamous misleading application called Security Tool. Once executed, it displays exaggerated pop-ups in an attempt to scare users:
Unlike standard misleading application distribution websites, these sites don’t rely only on social engineering tricks to mislead users. If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit.
Phoenix is an automated exploit kit that uses heavily obfuscated JavaScript code to evade security products. The Phoenix exploit kit has the following exploits in its armory: • IE MDAC • IE iepeers • IE SnapShot Viewer ActiveX • Adobe Reader and Flash - PDF Collab / printf / getIcon / NewPlayer/LibTiff • Java - HsbParser.getSoundBank and JRE • Windows Help Center (HCP) These exploit kits are used to deliver malware after exploiting a vulnerability, mostly those affecting Web browsers. If users don’t somehow fall victim to this latest browser update trick, then the attackers have the fall back of delivering misleading applications through these exploit kits. Malware authors are employing innovative social engineering tricks to fool users—it’s as simple as that. As always, we encourage users to not click on unverified hyperlinks. Products such as NortonSafeWeb should be used to verify links before clicking on them. In addition, users should download updates from their legitimate vendor’s websites only. The good news is that Symantec customers with updated definitions are protected from this attack.